Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

Apache Log4j & CMOD ODWEK ICN (view source)

Revision as of 21:57, 13 December 2021

34 bytes removed , 21:57, 13 December 2021

m

Minor changes to explanation...

Jderrick

Bureaucrats, Administrators

1,126

edits

@@ Line 45: / Line 45: @@
 == Impact ==
-The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations where the ODWEK Java API is also publicly accessible, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging.  In most (reasonable) system architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API (typically install a network DMZ) between LoB applications that are internet-accessible and Content Manager OnDemand.  In the overwhelming majority of system designs, there are firewalls and other access controls on both the external and internal sides of a web server.  However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.
+The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations where the ODWEK Java API is also publicly accessible, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging.  In most (reasonable) system architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API between LoB applications that are internet-accessible and Content Manager OnDemand.  In the overwhelming majority of system designs, there are firewalls and other access controls on both the external and internal sides of a web server.  However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.
 ; Which CMOD components use Apache log4j?