1,126
edits
Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"
Jump to navigation
Jump to search
Apache Log4j & CMOD ODWEK ICN (view source)
Revision as of 15:02, 11 December 2021
, 15:02, 11 December 2021Minor updates to reflect ICN log4j vulnerability
m (Converted CMOD version information to table.) |
(Minor updates to reflect ICN log4j vulnerability) |
||
| Line 39: | Line 39: | ||
== Impact == | == Impact == | ||
The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging. In most (reasonable) architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API between LoB applications that are internet-accessible and Content Manager OnDemand. In the overwhelming majority of | The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations where the ODWEK Java API is also publicly accessible, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging. In most (reasonable) system architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API (typically install a network DMZ) between LoB applications that are internet-accessible and Content Manager OnDemand. In the overwhelming majority of system designs, there are firewalls and other access controls on both the external and internal sides of a web server. However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK. | ||
'''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.''' | '''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.''' | ||
| Line 49: | Line 49: | ||
* CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Low to Medium'' | * CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Low to Medium'' | ||
* CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: ''High'' | * CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: ''High'' | ||
* CMOD and ODWEK running on the same server instance / operating system: ''Extreme'' | |||
== Upgrading log4j v2.15.x == | == Upgrading log4j v2.15.x == | ||