Please help to click 1!

Thursday, 14 April 2022

Resolution and Mitigation for Apache Log4J Vulnerabilities

 

Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832). TIBCO is also aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

TIBCO Spotfire products that are affected by CVE-2021-44228 and CVE-2021-45046

TIBCO Spotfire Server

  • TIBCO Spotfire Server < 7.9 is not affected (see Note 1 below)
  • TIBCO Spotfire Server 7.9-10.9 is affected, mitigation is available
  • TIBCO Spotfire Server 10.10 is affected, resolution (service pack) and mitigation available
  • TIBCO Spotfire Server 11.0-11.3 is affected, mitigation available
  • TIBCO Spotfire Server 11.4 is affected, resolution (service pack) and mitigation available
  • TIBCO Spotfire Server 11.5 is affected, mitigation available
  • TIBCO Spotfire Server 11.6 is affected, resolution (service pack) and mitigation available

TIBCO Spotfire Statistics Services

  • TIBCO Spotfire Statistics Services <= 10.3.0 is not affected (see Note 1 below)
  • TIBCO Spotfire Statistics Services 10.3.1 is affected, mitigation available
  • TIBCO Spotfire Statistics Services 10.10 is affected, resolution (service pack) and mitigation available
  • TIBCO Spotfire Statistics Services 11.1-11.3 is affected, mitigation available
  • TIBCO Spotfire Statistics Services 11.4 is affected, resolution (service pack) and mitigation available
  • TIBCO Spotfire Statistics Services 11.5 is affected, mitigation available
  • TIBCO Spotfire Statistics Services 11.6 is affected, resolution (service pack) and mitigation available

TIBCO Spotfire Service for Python

  • TIBCO Spotfire Service for Python 1.0 is affected, resolution (service pack) and mitigation available
  • TIBCO Spotfire Service for Python 1.1-1.2 is affected, mitigation available
  • TIBCO Spotfire Service for Python 1.3 is affected, resolution (service pack) and mitigation available
  • TIBCO Spotfire Service for Python 1.4 is affected, mitigation available
  • TIBCO Spotfire Service for Python 1.5 is affected, resolution (service pack) and mitigation available

TIBCO Enterprise Runtime for R - Server Edition

  • TIBCO Enterprise Runtime for R - Server Edition 1.0-1.2 is affected, mitigation available
  • TIBCO Enterprise Runtime for R - Server Edition 1.3 is affected, resolution (service pack) and mitigation available
  • TIBCO Enterprise Runtime for R - Server Edition 1.4-1.6 is affected, mitigation available
  • TIBCO Enterprise Runtime for R - Server Edition 1.7 is affected, resolution (service pack) and mitigation available
  • TIBCO Enterprise Runtime for R - Server Edition 1.8 is affected, mitigation available
  • TIBCO Enterprise Runtime for R - Server Edition 1.9 is affected, resolution (service pack) and mitigation available


TIBCO Spotfire products that are not affected

  • TIBCO Spotfire Analyst
  • TIBCO Spotfire Automation Services
  • TIBCO Spotfire Qualification
  • TIBCO Spotfire Business Author
  • TIBCO Spotfire Consumer
  • TIBCO Spotfire Desktop


Note 1:

If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

 

Note 2:

The denial of service vulnerability CVE-2021-45105 is related to certain logging patterns with context lookups. No TIBCO Spotfire products use patterns with context lookups out of the box. However, if a customer has added such a pattern, this must be reverted. Please refer to Apache Log4j Security Vulnerabilities (https://logging.apache.org/log4j/2.x/security.html) for more information. Update: New releases and service packs containing log4j version 2.17.1, where that issue has been addressed,  were released on February 2, 2022. 

 

Note 3:

Spotfire is unaffected by vulnerability CVE-2021-44832 as it requires that the attacker can modify the log configuration file. Only trusted administrators have file system access to the TIBCO Spotfire Server, TIBCO Spotfire Statistics Services, TIBCO Spotfire Service for Python, and TIBCO Enterprise Runtime for R - Server Edition products.  Update: New releases and service packs containing log4j version 2.17.1, where that issue has been addressed,  were released on February 2, 2022.
Resolution

Resolution

December 21: The following Service packs (updating Log4j2 to version 2.16.0) for Mainstream and LTS versions are now available for download from the TIBCO eDelivery site (https://edelivery.tibco.com). Upgrade to these service packs which contain a fix for CVE-2021-45046 (as well as CVE-2021-44228, which was addressed in the previous service packs):  
  • TIBCO Spotfire Server 11.6.3, 11.4.4, 10.10.9 
  • TIBCO Spotfire Statistics Services 11.6.2, 11.4.4, 10.10.7
  • TIBCO Spotfire Service for Python 1.5.2, 1.3.3, 1.0.5
  • TIBCO Enterprise Runtime for R - Server Edition 1.9.2, 1.7.3, 1.3.5 

Services packs have been released for the latest Mainstream version and the current LTS versions which have not had end of support announced. Versions 11.6, 11.4 and 10.10 are the only versions currently receiving service packs. See Overview of TIBCO Spotfire Releases – Mainstream and LTS (Long-Term Support) for more information about this.

If one of the earlier service packs released on December 14 (not related to log4shell) and December 15 (only addressing CVE-2021-44228) have been installed, make sure to upgrade to these latest service packs as well. 

See the product documentation for instructions on the upgrade procedure.  

Mitigation

See the attached document "Spotfire Mitigation for Log4Shell.pdf" for mitigation steps if upgrading to the latest service packs that address the issues (recommended) is not an option. These instructions are based on the mitigation documented by Apache for different vulnerable versions of Log4j2.

Note: Version 1.x of the mitigation document described a mitigation strategy that was based on setting the log4j2.formatMsgNoLookups Java option. While that mitigation did limit exposure it was found to be incomplete and was retracted by The Apache Software Foundation. Note that there is no reason to revert any such mitigations that have been made, but make sure to follow the latest mitigation instructions.

 

Reference

No comments:

Post a Comment