CMOD.wiki

Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

Apache Log4j & CMOD ODWEK ICN (view source)

Revision as of 18:52, 13 December 2021

823 bytes removed ,  18:52, 13 December 2021
m
Changed Section title, removed Service-request questions, directed people to Twitter, ODUG, LinkedIn.
m (Updated Q&A with the latest info.)
m (Changed Section title, removed Service-request questions, directed people to Twitter, ODUG, LinkedIn.)
Line 92: Line 92:




== Questions for IBM ==
== Questions & Responses ==
Here are a few questions we've sent to IBM, and we'll update this article with their responses:
 
*Is log4j used for any purpose on a standalone CMOD server, or is it used exclusively for ODWEK?
*For ODWEK, in which situations/configurations would log4j be accessible to an API consumer?
*ICN v3 ships with Log4j 1.2.15, and is not included in this CVE due to being EOL'd earlier this year, so it's unknown if this version is affected.  Is it possible top upgrade log4j to the patched version?
*For ICN, in which situations/configurations would log4j be accessible to an API consumer?
*Are their architectural mitigations that can be put in place?  (Blocking firewall ports, specific URLs, changing the location of libraries, etc.)
*Will IBM provide an interim fix for this issue, or advise clients to patch log4j on their own?


If you have questions you'd like to see answered, find us on Twitter:  https://Twitter.com/CMODwiki
If you have questions you'd like to see answered, find us on Twitter:  https://Twitter.com/CMODwiki
Retrieved from "https://CMOD.wiki/index.php?title=Special:MobileDiff/1041"