Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

Apache Log4j & CMOD ODWEK ICN (view source)

Revision as of 07:57, 11 December 2021

908 bytes added , 07:57, 11 December 2021

m

→‎Impact

Jderrick

Bureaucrats, Administrators

1,126

edits

@@ Line 41: / Line 41: @@
 * An organization with CMOD on their internal network using Windows 'Thick' Clients:  ''Very Low''
 * CMOD and IBM Content Navigator  or Line-of-Business apps that reply on ODWEK: ''Low''
-* CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Medium''
+* CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Low to Medium''
 * CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: ''High''
+== Questions for IBM ==
+Here are a few questions we've sent to IBM:
+*Is log4j used for any purpose on a standalone CMOD server, or is it used exclusively for ODWEK?
+*For ODWEK, in which situations/configurations would log4j be accessible to an API consumer?
+*ICN v3 ships with Log4j 1.2.15, and is not included in this CVE due to being EOL'd earlier this year, so it's unknown if this version is affected.  Is it possible top upgrade log4j to the patched version?
+*For ICN, in which situations/configurations would log4j be accessible to an API consumer?
+*Are their architectural mitigations that can be put in place?  (Blocking firewall ports, specific URLs, changing the location of libraries, etc.)
+*Will IBM provide an interim fix for this issue, or advise clients to patch log4j on their own?
+If you have questions you'd like to see answered, find us on Twitter:  https://Twitter.com/CMODwiki