Security Bulletin: IBM Rational Build Forge is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228).

Workarounds and Mitigations

For those who would like to defer upgrading to IBM Rational Build Forge 8.0.0.21, IBM strongly recommends addressing the the vulnerability now by following the steps listed  in this section.

Important note:

These are high level steps, please adjust the paths according to os-platform, Tomcat or Webshpere. The important part here is to remove the JndiLookup.class file from the log4j-core-2.6.1.jar file, which is included in jas.war file.

It is recommended to try these steps on test/staging environment and gain confidence, before applying to production.

IBM Rational Build Forge versions 8.0.0.5 to 8.0.0.20 include log4j-api-2.6.1.jar and log4j-core-2.6.1.jar files.

For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup.class from the classpath

Steps to remediate: (For Tomcat users)

1. Stop Build Forge services.
2. Successfully backup the Database and <BF-INSTALL> folder for safety.
3. Locate the jas.war file in the Build Forge installation area (<BF_INSTALL>/server/apache/tomcat/webapps/ or equivalent)
4. In the same path ‘jas’ folder is created, move it to temporary (c:\temp or /tmp) folder as backup
5. Move the ‘work’ folder which was created while starting the services, to temporary folder as backup (<BF_INSTALL>/server/apache/tomcat/work)
6. The above steps should ensure that old/cache data has been moved to temporary folder as backup.
7. Backup the original jas.war: Copy jas.war as c:\temp\original_jas.war file (example: <BF_INSTALL>/server/apache/tomcat/webapps/jas.war or equivalent)
8. Remove JndiLookup.class :

Using any archive tool (7zip or equivalent)

                Open in archive for the file jas.war

                Locate WEB-INF/eclipse/plugins/com.ibm.jas-1.0.jar (within archive only)

                Open com.ibm.jas-1.0.jar (within archive for editing)

                Locate the path: java/lib

                Locate the file log4j-core-2.6.1.jar file.

                Open log4j-core-2.6.1.jar (within archive for editing)

                Locate the path: org/apache/logging/log4j/core/lookup

                Delete the class file: JndiLookup.class

                Return or Save the archive.

9. Restart Build Forge services.

Steps to revert to original state: (Tomcat users)

1. Stop Build Forge services.
2. Delete work folder (<BF_INSTALL>/server/apache/tomcat// or equivalent)
3. Delete the jas folder (<BF_INSTALL>/server/apache/tomcat/webapps/jas or equivalent)
4. Copy the jas.war from backup to (<BF_INSTALL>/server/apache/tomcat/webapps)
5. Start the Build Forge services.

For WebSphere users, steps to remediate:

• Stop Build Forge services.
• Complete successful backup of Database and BF-Install folder.
• Backup the entire AppSrv01 or similar folder in WAS. Usually <WAS-HOME>/profile
• In Build Forge Home backup the jas.war (BF_HOME/PrepForExternal)
• Modify jas.war using archive tool to remove JndiLookup.class
• Ensure the work-folders or temp-folders referring to jas.war or jas_war are removed. This is to ensure that old references to JndiLookup.class files to be deleted.
• Re-install jas.war. (In WAS, uninstall and install jas.war)
• Start Build Forge services

For WebShpere users, steps to revert to original state:

• Stop Build Forge services.
• Delete work folder and jas folders
• Copy the jas.war from backup under (BF_HOME/PrepForExternal)
• Re-install original jas.war (In WAS, uninstall and install jas.war)
• Start the Build Forge services.