Hello, 

Recently our cyber security team based upon their logs suspected a few attacks related to "zero-day Java log4j vulnerability". It seems that

------------------------------
Pankaj Bhide
Computer Systems Engineer
Berkeley National Laboratory
Berkeley CA
------------------------------

#AssetandFacilitiesManagement
#Maximo

Hello Team,

We have been also notified about the above Threat Log4j vulnerability (CVE-2021-44228) 

Any update please, let us know

Arun Prasath
Solution Architect
Tech Mahindra

------------------------------
Arun Prasath
------------------------------

Original Message:
Sent: Sat December 11, 2021 01:28 PM
From: Pankaj Bhide
Subject: Log4j Vulnerability (CVE-2021-44228)

Hello, 

Recently our cyber security team based upon their logs suspected a few attacks related to "zero-day Java log4j vulnerability". It seems that

the vulnerability requires an application that would log a simple special string submitted by the user.  So for example, if a java app logs the HTTP User-Agent header (or any other header), the attacker merely needs to set their User-Agent to this special string.  

Any clue whether in MAXIMO code such logging statements are present? 

Are there any fixes, patches for MAXIMO, WebSphere, etc?

------------------------------
Pankaj Bhide
Computer Systems Engineer
Berkeley National Laboratory
Berkeley CA
------------------------------

#Maximo
#AssetandFacilitiesManagement

The log4j version shipped with Maximo (or Manage) for most customers will not be impacted. If you have ACM, Aviation, or Scheduler Optimization there will be information posted on how to update it as those come with a version of log4j that is impacted.

WebSphere also is impacted and has the documentation available here: https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/

------------------------------
Steven Shull
------------------------------

Original Message:
Sent: Sat December 11, 2021 01:28 PM
From: Pankaj Bhide
Subject: Log4j Vulnerability (CVE-2021-44228)

Hello, 

Recently our cyber security team based upon their logs suspected a few attacks related to "zero-day Java log4j vulnerability". It seems that

the vulnerability requires an application that would log a simple special string submitted by the user.  So for example, if a java app logs the HTTP User-Agent header (or any other header), the attacker merely needs to set their User-Agent to this special string.  

Any clue whether in MAXIMO code such logging statements are present? 

Are there any fixes, patches for MAXIMO, WebSphere, etc?

------------------------------
Pankaj Bhide
Computer Systems Engineer
Berkeley National Laboratory
Berkeley CA
------------------------------

#AssetandFacilitiesManagement
#Maximo

#Maximo
#AssetandFacilitiesManagement

Steven, what is the recommendation for remediating Log4j version 1 vulnerabilities in Maximo and ICD? Is there an existing procedure to replace it with Log4j version 2.17 (or latest)?

------------------------------
Boyd Bradford
Director, IT Service Management Practice
Advanced Integrated Solutions, Inc.
------------------------------

Original Message:
Sent: Mon December 13, 2021 11:08 AM
From: Steven Shull
Subject: Log4j Vulnerability (CVE-2021-44228)

The log4j version shipped with Maximo (or Manage) for most customers will not be impacted. If you have ACM, Aviation, or Scheduler Optimization there will be information posted on how to update it as those come with a version of log4j that is impacted.

WebSphere also is impacted and has the documentation available here: https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/

------------------------------
Steven Shull

Original Message:
Sent: Sat December 11, 2021 01:28 PM
From: Pankaj Bhide
Subject: Log4j Vulnerability (CVE-2021-44228)

Hello, 

Recently our cyber security team based upon their logs suspected a few attacks related to "zero-day Java log4j vulnerability". It seems that

the vulnerability requires an application that would log a simple special string submitted by the user.  So for example, if a java app logs the HTTP User-Agent header (or any other header), the attacker merely needs to set their User-Agent to this special string.  

Any clue whether in MAXIMO code such logging statements are present? 

Are there any fixes, patches for MAXIMO, WebSphere, etc?

------------------------------
Pankaj Bhide
Computer Systems Engineer
Berkeley National Laboratory
Berkeley CA
------------------------------

#Maximo
#AssetandFacilitiesManagement

The transition to Log4j 2.X requires changes in Maximo/Control Desk to support. I'm not sure what has been made public so I'm not sure what I'm allowed to share. I'd reach out to your IBM rep to get an official answer. I can say it's something we are planning to address with upcoming releases.

------------------------------
Steven Shull
------------------------------

Original Message:
Sent: Mon January 10, 2022 05:38 PM
From: Boyd Bradford
Subject: Log4j Vulnerability (CVE-2021-44228)

Steven, what is the recommendation for remediating Log4j version 1 vulnerabilities in Maximo and ICD? Is there an existing procedure to replace it with Log4j version 2.17 (or latest)?

------------------------------
Boyd Bradford
Director, IT Service Management Practice
Advanced Integrated Solutions, Inc.

Original Message:
Sent: Mon December 13, 2021 11:08 AM
From: Steven Shull
Subject: Log4j Vulnerability (CVE-2021-44228)

The log4j version shipped with Maximo (or Manage) for most customers will not be impacted. If you have ACM, Aviation, or Scheduler Optimization there will be information posted on how to update it as those come with a version of log4j that is impacted.

WebSphere also is impacted and has the documentation available here: https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/

------------------------------
Steven Shull

Original Message:
Sent: Sat December 11, 2021 01:28 PM
From: Pankaj Bhide
Subject: Log4j Vulnerability (CVE-2021-44228)

Hello, 

Recently our cyber security team based upon their logs suspected a few attacks related to "zero-day Java log4j vulnerability". It seems that

the vulnerability requires an application that would log a simple special string submitted by the user.  So for example, if a java app logs the HTTP User-Agent header (or any other header), the attacker merely needs to set their User-Agent to this special string.  

Any clue whether in MAXIMO code such logging statements are present? 

Are there any fixes, patches for MAXIMO, WebSphere, etc?

------------------------------
Pankaj Bhide
Computer Systems Engineer
Berkeley National Laboratory
Berkeley CA
------------------------------

#Maximo
#AssetandFacilitiesManagement

Thanks Steven. I was hoping for a workaround to satisfy the security team in the short run.

------------------------------
Boyd Bradford
Director, IT Service Management Practice
Advanced Integrated Solutions, Inc.
------------------------------

Original Message:
Sent: Tue January 11, 2022 08:00 AM
From: Steven Shull
Subject: Log4j Vulnerability (CVE-2021-44228)

The transition to Log4j 2.X requires changes in Maximo/Control Desk to support. I'm not sure what has been made public so I'm not sure what I'm allowed to share. I'd reach out to your IBM rep to get an official answer. I can say it's something we are planning to address with upcoming releases.

------------------------------
Steven Shull

Original Message:
Sent: Mon January 10, 2022 05:38 PM
From: Boyd Bradford
Subject: Log4j Vulnerability (CVE-2021-44228)

Steven, what is the recommendation for remediating Log4j version 1 vulnerabilities in Maximo and ICD? Is there an existing procedure to replace it with Log4j version 2.17 (or latest)?

------------------------------
Boyd Bradford
Director, IT Service Management Practice
Advanced Integrated Solutions, Inc.

Original Message:
Sent: Mon December 13, 2021 11:08 AM
From: Steven Shull
Subject: Log4j Vulnerability (CVE-2021-44228)

The log4j version shipped with Maximo (or Manage) for most customers will not be impacted. If you have ACM, Aviation, or Scheduler Optimization there will be information posted on how to update it as those come with a version of log4j that is impacted.

WebSphere also is impacted and has the documentation available here: https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/

------------------------------
Steven Shull

Original Message:
Sent: Sat December 11, 2021 01:28 PM
From: Pankaj Bhide
Subject: Log4j Vulnerability (CVE-2021-44228)

Hello, 

Recently our cyber security team based upon their logs suspected a few attacks related to "zero-day Java log4j vulnerability". It seems that

the vulnerability requires an application that would log a simple special string submitted by the user.  So for example, if a java app logs the HTTP User-Agent header (or any other header), the attacker merely needs to set their User-Agent to this special string.  

Any clue whether in MAXIMO code such logging statements are present? 

Are there any fixes, patches for MAXIMO, WebSphere, etc?

------------------------------
Pankaj Bhide
Computer Systems Engineer
Berkeley National Laboratory
Berkeley CA
------------------------------

#Maximo
#AssetandFacilitiesManagement