1,126
edits
Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"
Apache Log4j & CMOD ODWEK ICN (view source)
Revision as of 18:51, 13 December 2021
, 18:51, 13 December 2021Updated Q&A with the latest info.
m (Re-organized opening paragraphs.) |
m (Updated Q&A with the latest info.) |
||
| Line 55: | Line 55: | ||
; Is a standalone CMOD server (without IBM HTTP / Websphere / ODWEK / REST API / FTS configured) vulnerable? | ; Is a standalone CMOD server (without IBM HTTP / Websphere / ODWEK / REST API / FTS configured) vulnerable? | ||
: No, CMOD itself does not call or use log4j. | : No, CMOD itself does not call or use log4j. | ||
; Where do I need to install the new version of the Apache log4j library? | |||
: Anywhere that you have installed CMOD - this includes: all CMOD servers, WebSphere/Tomcat/HTTP servers with CMOD, ODWEK, or the REST API components, and development servers for line-of-business applications that use ODWEK/REST APIs. | |||
''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.'' | ''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.'' | ||
| Line 64: | Line 67: | ||
* Line-of-Business apps using CMOD that are exposed to the public internet with proper firewalls & access controls: ''Low '' | * Line-of-Business apps using CMOD that are exposed to the public internet with proper firewalls & access controls: ''Low '' | ||
* Line-of-Business apps using CMOD that are exposed to the public internet with unrestricted access to the CMOD server: ''Low'' | * Line-of-Business apps using CMOD that are exposed to the public internet with unrestricted access to the CMOD server: ''Low'' | ||
* CMOD and ODWEK running on the same server instance / operating system & | * CMOD and ODWEK running on the same server instance / operating system & accessible to the internet: ''Medium'' | ||
== Upgrading log4j v2.15.x == | == Upgrading log4j v2.15.x == | ||