Maximo

 View Only
Expand all | Collapse all

Maximo vs Log4Shell vulnerability

  • 1.  Maximo vs Log4Shell vulnerability

    Posted Sun December 12, 2021 10:05 AM
      |   view attached
    An updated Maximo should have no problems with the CVE-2021-44228 vulnerability (aka Log4Shell) because system property "com.sun.jndi.ldap.object.trustURLCodebase" should be false by default (check the Java version to be sure).
    However, if you are in doubt or your env is old, you can add the "log4j2.formatMsgNoLookups" param to mitigate this critical issue.



    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    #AssetandFacilitiesManagement
    #Maximo


  • 2.  RE: Maximo vs Log4Shell vulnerability

    Posted Mon December 13, 2021 02:09 AM
    Edited by System Test Wed March 22, 2023 11:45 AM
    is maximo using log4j somewhere? The files I've found in SMP (ibm control desk 7.6.1.4) are using log4j v1.x
    I've found v2 it within ISCLITE (WebSphere v9), and IBM already provided a fix to update log4j2. (9.0.5.3-ws-wasprod-ifph42728)
    "Old" environments (WebSphere 8.5.x) seem to use log4j1 which should not be affected?


    ------------------------------

    Original Message


  • 3.  RE: Maximo vs Log4Shell vulnerability

    Posted Mon December 13, 2021 04:09 AM
    Edited by System Test Wed March 22, 2023 11:45 AM
    Maximo uses Log4J for logging (see Maximo Asset Management Logging (ibm.com))
    In an updated version like 7.6.1.2, it uses a version of the library (c:\IBM\SMP\maximo\applications\maximo\lib\log4j-1.2.16.jar) that it's not affected by this mess. Instead, the older versions seem to have also included the 2.x version of the library. in this case you must decide what to do. One suggestion is to set the property that disables the vulnerable feature. Others suggest removing that code from the distributed library.

    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    Original Message


  • 4.  RE: Maximo vs Log4Shell vulnerability

    Posted Mon December 13, 2021 05:07 AM
    Thanks for the inputs Diego. I would be relieved to see any IBM article that officially backs this recommendation as reading some of the articles about this CVE, Apache seems to  have patched the issue in log4j V 2.15.0  and the recommendation is to upgrade to this latest version.

    Maximo's version of 1.2.x is very old and was released way back in 2010.

    ------------------------------
    AK
    ------------------------------

    Original Message


  • 5.  RE: Maximo vs Log4Shell vulnerability

    Posted Mon December 13, 2021 05:21 AM
    Edited by System Test Wed March 22, 2023 11:53 AM
    This is the link to the generic recommendations from IBM:
    An update on the Apache Log4j CVE-2021-44228 vulnerability - IBM PSIRT Blog

    As Klaus has written, for WAS there is a "just-in-time" interim-fix:
    Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) (ibm.com)

    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    Original Message


  • 6.  RE: Maximo vs Log4Shell vulnerability

    Posted Tue December 14, 2021 08:55 AM

    I have the same feeling as Arun is raising here. When we use Installation Manager to update Websphere, it will update to version 9.0.5.10 and also include the hotfix42728 to your system.

    When i do a search on Log4j in the IBM folder structure, I see that the Websphere ones are update to the recommended 2.15.0 but the Maximo ones are on 1.2.16 or 1.2.17. (this is maximo 7.6.1.2).
    I think it would help everyone to understand the version numbering if the Maximo versions are not vulnerable.

    Thanks
    Marcel van der Heide


    ------------------------------
    Marcel van der Heide
    ------------------------------

    Original Message


  • 7.  RE: Maximo vs Log4Shell vulnerability

    Posted Tue December 14, 2021 04:13 PM

    Just an FYI Apache seems to be recommending that this will not completely remediate the vulnerability.
    https://logging.apache.org/log4j/2.x/security.html


    History
Older (discredited) mitigation measures

This page previously mentioned other mitigation measures, but we discovered that these measures only limit exposure while leaving some attack vectors open.

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.


    ------------------------------
    aaron robertson
    ------------------------------

    Original Message


  • 8.  RE: Maximo vs Log4Shell vulnerability

    Posted Tue December 14, 2021 11:05 PM
    As per Apache update below, Log4j 1.x is not impacted by this vulnerability. Also, only log4j-core JAR file is impacted. We are using Log4j 1.x in Maximo(checked in 7.6 and v7.6.1.2), so should not be issue with Maximo. It is still better if IBM confirms it.
    Maximo:
    E:\IBM\SMP\maximo\applications\maximo\lib\log4j-1.2.16.jar
    E:\IBM\SMP\maximo\reports\cognos\c11\sdk\log4j-1.2.17.jar
    However, WebSphere (checked v9.0.5.8) uses Log4j 2.x
    E:\IBM\WebSphere\AppServer\systemApps\isclite.ear\kc.war\WEB-INF\lib\log4j-core-2.8.2.jar
    IBM has provided fix and workaround at below note: (Fix: Upgrade to latest fix pack and apply IF PH42728 )


    ------------------------------
    Manoj Sawant
    Maximo Consultant
    Wipro Technologies
    Adelaide
    ------------------------------

    Original Message


  • 9.  RE: Maximo vs Log4Shell vulnerability

    Posted Wed December 15, 2021 12:22 PM
    Log4j 1.x is impacted by log4shell if a JMS Appender is configured.  This is not standard for Maximo so I imagine most will not be affected.
    Log4j 1.x does have it's own high impact CVE that predates the log4shell issue that you may want to review as well.
    https://nvd.nist.gov/vuln/detail/CVE-2019-17571

    ------------------------------
    aaron robertson
    ------------------------------

    Original Message


  • 10.  RE: Maximo vs Log4Shell vulnerability

    Posted Wed December 15, 2021 04:17 AM
    Just published this security vulnerability technote for IBM Maximo products:
    Apache log4j2 CVE-2021-44228 security vulnerability (ibm.com)

    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    Original Message


  • 11.  RE: Maximo vs Log4Shell vulnerability

    Posted Wed December 15, 2021 07:55 AM
    I assume this is outdated, as it was recognized that   Log4J versions 2.15, also has the vulnerability issue 

    ------------------------------
    Mohamed Skandaji
    Smartech
    +21624420600
    ------------------------------

    Original Message


  • 12.  RE: Maximo vs Log4Shell vulnerability

    Posted Wed December 15, 2021 08:48 AM
    Yes, the latest version of Log4J is 2.16.0 released on Monday: Log4j – Changes (apache.org)
    Cross-fingers that this one finally closes the issue.
    In case I hope IBM will update the technote



    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    Original Message


  • 13.  RE: Maximo vs Log4Shell vulnerability

    Posted Wed December 15, 2021 04:22 PM
    Edited by System Test Wed March 22, 2023 11:50 AM

    We will update the technote as new (confirmed) information is provided to us.

    With respect to JNDI lookup and the JMS Appender:

    The log4j-1.12.16.jar included in Maximo (\IBM\SMP\maximo\applications\maximo\lib\log4j-1.2.16.jar) does not have the JndiLookup.class, because the JNDI feature was added into log4j 2.0-beta9 (ref https://stackoverflow.com/questions/70310980/log4j-vulnerability-is-log4j1-2-17-vulnerable-was-unable-to-find-any-jndi-cod). 

    The JMS Appender is not an available Appender type in Maximo Logging.



    ------------------------------
    Richard Lesses
    IBM Team Lead/Technical Lead, Maximo Systems & Integration Support
    ------------------------------

    Original Message


  • 14.  RE: Maximo vs Log4Shell vulnerability

    Posted Wed December 15, 2021 07:09 PM
    There is another WebSphere Interim Fix PH42762 released by IBM yesterday.

    https://www.ibm.com/support/pages/node/6526750

    ------------------------------
    Manoj Sawant
    Maximo Consultant
    Wipro Technologies
    Adelaide
    ------------------------------

    Original Message


  • 15.  RE: Maximo vs Log4Shell vulnerability

    Posted Fri December 17, 2021 10:20 AM
    Hi! Please see (Maximo) Apache log4j2 CVE-2021-44228 security vulnerability
    And be sure you are subscribed to IBM Notifications for updates to Maximo and other IBM products in your environment.

    ------------------------------
    Richard Lesses
    IBM Team Lead/Technical Lead, Maximo Systems & Integration Support
    ------------------------------

    Original Message


  • 16.  RE: Maximo vs Log4Shell vulnerability

    Posted Mon December 20, 2021 06:22 AM
    Hi,

    When I click on technote for IBM Maximo products it asks for passport advantage access (for IBMer). Should not technote be available publicly ? it there an alternate accessible link with same information ?

    Thanks,
    Anshu.


    ------------------------------
    ANSHU Garg
    ------------------------------

    Original Message


  • 17.  RE: Maximo vs Log4Shell vulnerability

    Posted Mon December 20, 2021 08:54 AM
    There is an internal doc with identical content, a link to which I have sent you.

    ------------------------------
    Richard Lesses
    IBM Team Lead/Technical Lead, Maximo Systems & Integration Support
    ------------------------------

    Original Message


  • 18.  RE: Maximo vs Log4Shell vulnerability

    Posted Fri December 17, 2021 05:29 PM
    Maximo Scheduler Optimization too... #keepcalmandfixagain
    https://www.ibm.com/support/pages/node/6527990

    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    Original Message


  • 19.  RE: Maximo vs Log4Shell vulnerability

    Posted Tue December 21, 2021 12:35 PM
    I fear this mess will be a long story. In a couple of weeks, three versions of the Log4J library have already been released (the last is 2.17).

    About WAS, this technote has been updated today and refers to the interim-fix PH42762 that supersedes (includes) the previous ones (PH42728, PH37034, PI97162)
    Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-4104 CVSS 8.1, CVE-2021-45046 CVSS 9.0) (ibm.com)

    Technote on Maximo products was updated yesterday but I don't' see substantial changes
    Apache log4j2 CVE-2021-44228 security vulnerability (ibm.com)
    Instead, the one on the ACM seems more detailed:
    Security Bulletin: A security vulnerability has been identified in Apache Log4j (CVE-2021-44228) in IBM Maximo Asset Configuration Manager and IBM Maximo for Aviation.

    #stayontopofpatching

    ------------------------------
    Diego Visentin
    EAM BU Director
    Tempestive S.p.A.
    Pordenone
    ------------------------------

    Original Message


  • 20.  RE: Maximo vs Log4Shell vulnerability

    Posted Tue December 21, 2021 01:40 PM
    Edited by System Test Wed March 22, 2023 11:47 AM
    Technote on Maximo products was updated yesterday but I don't' see substantial changes
    Apache log4j2 CVE-2021-44228 security vulnerability (ibm.com)
    I updated it yesterday afternoon. The Maximo 7.5.x-7.6.x information can be summarized as

    Apache Log4j Security Vulnerabilities – Log4j 2.0-2.14 (CVE-2021-44228), 2.15 (CVE-2021-45046), and 2.16 (CVE-2021-45105)

    The one on the ACM seems more detailed:
    Security Bulletin: A security vulnerability has been identified in Apache Log4j (CVE-2021-44228) in IBM Maximo Asset Configuration Manager and IBM Maximo for Aviation.
    It was updated for log4j-2.17.0

    It is important to note that while the documentation was logging, Apache released log4j-2.17 last Wednesday and WebSphere updated their security bulletins by end of day Wednesday.

    *Apache Log4j v1 used in IBM Maximo Asset Management does not have JNDI lookup, nor is JMS Appender enabled in the code.

    [Edit:  techdoc fixed]

    ------------------------------
    Richard Lesses
    IBM Team Lead/Technical Lead, Maximo Systems & Integration Support
    ------------------------------

    Original Message