IBM Support

IBM Engineering Lifecycle Management adopts log4j v2 in all applications (removing log4jv1)

News


Abstract

The log4j version 1 vulnerabilities (CVE-2021-4104 and related CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 etc) in IBM Engineering Lifecycle Management (ELM) is being mitigated in ELM version 7.0.2 in Service Release 1 (SR1) and 7.0.1 Service Release 1 (SR1).

Log4j version 1 is being replaced with log4j version 2.17 or later in ELM. Log4j version 1 libraries are not shipped with SR1.

Content

Engineering Lifecycle Management Servers and clients
The following applies to customer use Engineering Workflow Management, Engineering Test Management, DOORS Next, and related applications:
  • Customers on ELM versions before 7.0.2 are encouraged to upgrade to ELM 7.0.2 SR1 iFix 15 or later.
  • Customers currently on ELM version 7.0.2 must perform a side-by-side installation of ELM 7.0.2 SR1 iFix15
  • Customers currently on ELM version 7.0.1 can choose a way to remediate their systems
ELM Server Installation
The installation process for Engineering Lifecycle Management 7.0.2 SR1 (iFix015) and 7.0.1 SR1 (iFix018) is different than the regular interim fix process. Installation is performed by using IBM Installation Manager and existing configuration files are copied to the new Engineering Lifecycle Management installation.
  • Note: The side-by-side installation does not require any database updates or reindexing.
Future interim fixes for Engineering Lifecycle Management 7.0.2 SR1 (iFix015) and 7.0.1 SR1 (iFix018) are to be installed the way interim fixes are traditionally deployed. Future interim fixes are only compatible with Engineering Lifecycle Management 7.0.2 SR1 (iFix015). They are not compatible with earlier versions of ELM. You must move to the SR1 release to use future interim fixes.
Important:  ELM with Log4jv2 uses log4j2.xml instead of log4j.properties. Customized log settings must be reapplied by using XML formatting. 
ELM installation instructions:  
Note: The latest interim fix levels of some ELM client applications need to be applied. The packages are full application installations:
  • Client for Eclipse 4.6.x IDE
  • Build System Toolkit
  • Plain Java Libraries
  • p2 Install Repository
  • SCM Tools
  • EWM Git Integration Toolkit
Download location for the client installations is on jazz.net.
Other ELM products
Customers that use the following products are encouraged to install the latest patch release. They are the full product installations:
Where to get the fixes

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2"}]

Document Information

Modified date:
11 October 2022

UID

ibm16594827