Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

Apache Log4j & CMOD ODWEK ICN (view source)

Revision as of 16:04, 13 December 2021

449 bytes added , 16:04, 13 December 2021

Added CMOD log4j FAQs

Jderrick

Bureaucrats, Administrators

1,126

edits

@@ Line 49: / Line 49: @@
 The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations where the ODWEK Java API is also publicly accessible, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging.  In most (reasonable) system architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API (typically install a network DMZ) between LoB applications that are internet-accessible and Content Manager OnDemand.  In the overwhelming majority of system designs, there are firewalls and other access controls on both the external and internal sides of a web server.  However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.
-'''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.'''
+; Which CMOD components use Apache log4j?
+: The three components that use the log4j library are the ODWEK Java API, the REST API (new in CMOD v10.5) and the Full Text Search engine.
+; How does ODWEK Java API / REST API / FTS use the log4j library?
+: They are referenced through a classloader.
+; Is a standalone CMOD server (without IBM HTTP / Websphere / ODWEK / REST API / FTS configured) vulnerable?
+: No, CMOD itself does not call or use log4j.
+''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.''
 Here are a list of scenarios, and the likely level of risk to this vulnerability:  (Last updated Dec 13th, 10am)