Informix

 View Only
  • 1.  Informix Products and the Log4J vulnerability, Fixes Available

    Posted 19 days ago
    All,
     
    As you know, IBM informix has been affected by the Log4j vulnerability. There are three separate issues here, all of which are fixed by the latest fixes to Informix Server versions 12.10.FC15 and 14.10.FC6 and 14.10.FC7 for all editions.
     
    Today we have posted the latest release of Informix 14.10.FC7W1 to Fix Central here:
     
     
    This new release is an outright replacement for 14.10.FC6 and 14.10.FC7; these releases are going to be discontinued and permanently withdrawn from service. You should discontinue all usage of 14.10.FC6 and 14.10.FC7 as soon as possible as they are not secure across all editions.
     
    Today we have posted the latest release of Informix 12.10.FC15 to Fix Central here:
     
     
    There are two updated files at the link above which are the Informix-server.jar and informix-agent.jar files for InformixHQ, for the current release of InformixHQ 1.6.3. These are the same files incorporated into 14.10.FC7W1. There will be a full pack release of 12.10.FC15W1 with the installer for release number purposes in the near future. You should apply the interim fix to the 12.10,FC15 release, as it is not secure across all editions and will be withdrawn permanently from service once the new fix is GA, the date for which is presently unknown.
     
    Finally, the Informix Cloud Pak For Data 4.0.5 will be GA on Jan 16 and also has the Informix fixes for the NEO4J within and available. Upgrade instructions links below will be updated on January 16th with updated commands:
     
    and here:
     
     
    If you are running earlier versions of Informix Cloud Pak for Data based on Informix 14.10.FC6 or Informix 14.10.FC7, for any available Informix Edition, be advised that those Informix Editions have the known log4j security vulnerabilities and should no longer be run. You should upgrade your version of Informix Cloud Pak for Data as soon as possible.
     
    The 14.10 Fix applies to users with Informix On Cloud that are using any of the above affected versions of Informix. The fix for Informix on Cloud users is the same as outlined above.
     
    The above are the only known IBM Informix server products at this time to be affected by the Log4J vulnerability.
     
    Further info:
     

    Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix workaround

     

     

    https://www.ibm.com/support/pages/node/6527396 

     

    Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228):

    https://www.ibm.com/support/pages/node/6536712

     
    Scott Pickett
    IBM Informix WW Technical Sales IBM Expert Labs
    IBM Informix WW Cloud Technical Sales IBM Expert Labs
    IBM Informix WW Cloud Technical Sales ICIAE IBM Expert Labs
    IBM Informix WW Informix Warehouse Accelerator Sales IBM Expert Labs
    Boston, Massachusetts USA
    spickett@us.ibm.com
    617-899-7549
    33 Years Informix User
     
    The current Informix Roadshow presentations are here:
     




  • 2.  RE: Informix Products and the Log4J vulnerability, Fixes Available

    Posted 19 days ago
    Hi,

    Is Informix only affected if you are using InformixHQ?

    David.

    ------------------------------
    David Williams
    ------------------------------



  • 3.  RE: Informix Products and the Log4J vulnerability, Fixes Available

    Posted 19 days ago

    David:

    Yes, you should only be effected by the Log4j Vulnerability ( CVE-2021-44228 ) if you have installed HQ.  However, if you have run the default IDS installation it automatically adds the HQ directory with the vulnerable JARs but nothing is running and hence vulnerable until you set up HQ and it is running.

    IBM has released version 14.10.FC7W1 that includes the Log4J 2.17 version JARs.



    ------------------------------
    Best regards,
    Martin Graney
    Queues Enforth Development, Inc.
    Woburn, MA 01801
    ------------------------------