CMOD.wiki

Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

Apache Log4j & CMOD ODWEK ICN (view source)

Revision as of 15:14, 13 December 2021

805 bytes added ,  15:14, 13 December 2021
Added CMOD log4j upgrade instructions.
m (Formatting)
(Added CMOD log4j upgrade instructions.)
Line 8: Line 8:
Download the latest version here:  [https://logging.apache.org/log4j/2.x/download.html Apache Log4j]
Download the latest version here:  [https://logging.apache.org/log4j/2.x/download.html Apache Log4j]


'''UPDATE:''' IBM has responded to a customer ticket, stating that CMOD / ODWEK do not use the JNDI feature of log4j, and *should* not be vulnerable, but still advises customers to upgrade - instructions are pending.
'''UPDATE:''' IBM has responded to a customer ticket, stating that CMOD / ODWEK do not use the JNDI feature of log4j, and *should* not be vulnerable, but still advises customers to upgrade - instructions are pending.  See below for upgrade instructions.


== Announcements ==
== Announcements ==
Line 60: Line 60:


== Upgrading log4j v2.15.x ==
== Upgrading log4j v2.15.x ==
Download the latest version of [https://logging.apache.org/log4j/2.x/download.html Apache Log4j].
IBM has begun replying to customer tickets with this information:


To install it, either:
  CMOD Lab is aware of the log4j vulnerability. See the below from the development.
* Replace the existing log4j*.jar file in your CMOD Directory (the defaults are /opt/IBM/ondemand/V10.x/jars or /opt/ibm/ondemand/V10.x/jars).
 
  "neither the ODWEK nor the REST API’s use the JNDI feature of LOG4J which is at the core of the security vulnerability recently discovered. However, to be safe, it is recommended you upgrade to Log4j 2.15.0."
 
  Follow the instructions below to upgrade the OnDemand REST services or ODWEK based applications that are leveraging log4j.
 
  Go to https://downloads.apache.org/logging/log4j/2.15.0/ and select the file for your OS to download.
 
  E.g., apache-log4j-2.15.0-bin.zip for windows, apache-log4j-2.15.0-tar.gz for Unix.
 
  Once you extract the downloaded file, you should have a folder with a several files, including log4j-api-2.15.0.jar and log4j-core-2.15.0.jar. These are the only two files used by the OnDemand Web Enablement Kit and the REST API’s
 
  Use them to replace the following:
 
  <OnDemand Install Directory>/jars/log4j-api-2.13.0.jar
  <OnDemand Install Directory>/jars/log4j-core-2.13.0.jar
 
  You will need to stop any applications that use these files prior to replacing them. Delete the original 2.13.0 files. Place the log4j-api-2.15.0.jar and log4j-core-2.15.0.jar files into the directory that contained the deleted files. You will then need to update the classpath within your application server to reference the new version of these files. This is true for both ODWEK applications that use LOG4J and the OnDemand REST services. Once the classpath has been updated you can restart your applications"


...or...
* Install the new library to a location of your choice, and add that location at the front of your CLASSPATH environment variable, so that it is found first in the search path.
...or...
* If your network security and system architecture provide reasonable protection from exploitation of this bug, you can opt to do nothing, and wait for the next [[https://cmod.wiki/index.php?title=Main_Page#IBM_CMOD_Fixpacks_.26_Security_Bulletins CMOD Fixpack]].
Whichever option you choose, it is critical that you test the new solution before moving it into production.


== Questions for IBM ==
== Questions for IBM ==
Retrieved from "https://CMOD.wiki/index.php?title=Special:MobileDiff/1037"