News
Abstract
The log4j version 1 vulnerabilities (CVE-2021-4104 and related CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 etc) in IBM Engineering Lifecycle Management (ELM) is being mitigated in ELM version 7.0.2 in Service Release 1 (SR1) and 7.0.1 Service Release 1 (SR1).
Log4j version 1 is being replaced with log4j version 2.17 or later in ELM. Log4j version 1 libraries are not shipped with SR1.
Content
Engineering Lifecycle Management Servers and clients
The following applies to customer use Engineering Workflow Management, Engineering Test Management, DOORS Next, and related applications:
- Customers on ELM versions before 7.0.2 are encouraged to upgrade to ELM 7.0.2 SR1 iFix 15 or later.
- Upgrade instructions are in the interactive upgrade guide.
- Customers currently on ELM version 7.0.2 must perform a side-by-side installation of ELM 7.0.2 SR1 iFix15.
- Customers currently on ELM version 7.0.1 can choose a way to remediate their systems
- Perform an upgrade to 7.0.2 SR1 (iFix015)
- Upgrade instructions are in the interactive upgrade guide.
- Perform a side-by-side migration to 7.0.1 SR1 (iFix018)
- Perform an upgrade to 7.0.2 SR1 (iFix015)
ELM Server Installation
The installation process for Engineering Lifecycle Management 7.0.2 SR1 (iFix015) and 7.0.1 SR1 (iFix018) is different than the regular interim fix process. Installation is performed by using IBM Installation Manager and existing configuration files are copied to the new Engineering Lifecycle Management installation.
- Note: The side-by-side installation does not require any database updates or reindexing.
Future interim fixes for Engineering Lifecycle Management 7.0.2 SR1 (iFix015) and 7.0.1 SR1 (iFix018) are to be installed the way interim fixes are traditionally deployed. Future interim fixes are only compatible with Engineering Lifecycle Management 7.0.2 SR1 (iFix015). They are not compatible with earlier versions of ELM. You must move to the SR1 release to use future interim fixes.
Important: ELM with Log4jv2 uses log4j2.xml instead of log4j.properties. Customized log settings must be reapplied by using XML formatting.
ELM installation instructions:
IBM recommends upgrading Liberty and Java to remediate any security issues in those applications
-
How to upgrade the embedded WebSphere Liberty profile installed with Engineering Lifecycle Management applications
-
Upgrading Liberty in IBM Engineering Lifecycle Management Jazz Authorization Server
-
How to update the IBM SDK for Java of Engineering Lifecycle Management products
ELM Client Installation
Note: The latest interim fix levels of some ELM client applications need to be applied. The packages are full application installations:
- Client for Eclipse 4.6.x IDE
- Build System Toolkit
- Plain Java Libraries
- p2 Install Repository
- SCM Tools
- EWM Git Integration Toolkit
Download location for the client installations is on jazz.net.
Other ELM products
Customers that use the following products are encouraged to install the latest patch release. They are the full product installations:
- Publishing 7.0.2 SR1 iFix015
- Method Composer 7.6.2 SR1
- All installations of Method Composer 7.6.1 and earlier are highly recommended to upgrade to 7.6.2 SR1.
- IBM Common Licensing Server 9.0
- IBM Engineering Systems Design Rhapsody 9.0.1 SR1 iFix003
- Rational DOORS 9.6.1.13
- IBM Engineering Requirements Management DOORS 9.7.2.6
- IBM Offline Documentation (Formerly KCCI)
Where to get the fixes
- Jazz.net 7.0.2 SR1 download pages' "All downloads" tab
- Jazz.net 7.0.1 SR1 download pages' "All downloads" tab
- IBM Fix Central repository
- IBM Passport Advantage
- Downloads for the entitled versions of the latest release of each ELM product
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2"}]
Was this topic helpful?
Document Information
Modified date:
11 October 2022
UID
ibm16594827