InfoSphere Optim

 View Only
Expand all | Collapse all

Log4J with Optim Software

  • 1.  Log4J with Optim Software

    Posted Mon January 10, 2022 04:02 PM
    Anyone else find Log4J vulnerabilities with your Optim Products? Our security folks scanned us an found Optim Connect Server related Log4j Vulnerability. 

    Apache Log4j Unsupported Version Detection Path : E:\IBM Optim\Connect\Server\Lib\log4j-1.2.15.jar Installed version. 

    I have a few ideas for workarounds but just curious what you all are doing to remediate?

    ------------------------------
    Danny Lankford
    3M - IT Manager
    ------------------------------

    #InfoSphereOptim
    #Optim


  • 2.  RE: Log4J with Optim Software

    IBM Champion
    Posted Mon January 10, 2022 04:35 PM
    Hello Danny,

    CVE-2021-4428 and CVE-2021-45046 are confirmed on log4j 2.x. Optim does not use this version of log4j and is therefore not vulnerable to these CVEs.

    Thanks and regards,
    Vishwas Balakrishna
    Estuate, Inc. Princeton, NJ





  • 3.  RE: Log4J with Optim Software

    Posted Mon January 10, 2022 06:22 PM
    Vishwash, thanks for the quick reply. Oh really!? So this this Optim Connect Sever jar file is a version that is not impacted? 

    log4j-1.2.15.jar

     E:\IBM Optim\Connect\Server\Lib\log4j-1.2.15.jar

    Danny
    Sent from my iPhone





  • 4.  RE: Log4J with Optim Software

    IBM Champion
    Posted Mon January 10, 2022 06:28 PM
    Yes, search for the CVE numbers in the internet it will tell you, vulnerability is on 2.x and onwards.

    Thanks and regards,
    Vishwas Balakrishna
    Cell: +1 818-309-0972





  • 5.  RE: Log4J with Optim Software

    Posted Tue January 11, 2022 12:13 PM
    Our organization's security team has asked that we ensure ALL versions of log4j are upgraded to 2.17.1. Can you provide guidance on how we can get the Optim products to this level?

    ------------------------------
    Mark Crawford
    ------------------------------



  • 6.  RE: Log4J with Optim Software

    Posted Tue January 11, 2022 12:22 PM
    IBM's support note on this. Just FYI. 
    https://www.ibm.com/support/pages/node/6525890

    ------------------------------
    Danny Lankford
    3M - IT Manager
    ------------------------------



  • 7.  RE: Log4J with Optim Software

    Posted Wed January 12, 2022 01:56 PM
    Hi Danny and all other Optim Users!

    The Technote Danny references (https://www.ibm.com/support/pages/node/6525890) has just been updated. Please review it. It does address the following 4 CVEs:

    CVE-2021-45046: This is for Log4j 2.x, which Optim 11.3 does not use or include and therefore Optim 11.3 is not vulnerable to this.
    CVE-2021-44228: This is for Log4j 2.x, which Optim 11.3 does not use or include and therefore Optim 11.3 is not vulnerable to this.
    CVE-2021-4104: This is for Log4j 1.2.x, which Optim 11.3 includes. Remediation instructions are provided in the Technote.
    CVE-2019-17571: This is for Log4j 1.2.x, which Optim 11.3 includes. Remediation instructions are provided in the Technote.


    In regards to upgrading to log4j 2.x, this will not be done. We are working on removing all use of log4j in our next release.

    Rick Spagna
    Optim Development
    UNICOM Global

    ------------------------------
    Regards,

    Rick Spagna
    Optim Development Director
    UNICOM Global
    ------------------------------



  • 8.  RE: Log4J with Optim Software

    Posted Thu January 13, 2022 08:15 AM
    Hi Rick,

    Thank you. I'm wondering when  the next release, 11.7 version of Optim, will be released. I was told last year in a TS that it would be released in Mid of January 2022.



    ------------------------------
    Qiong Dai
    ------------------------------



  • 9.  RE: Log4J with Optim Software

    Posted Thu January 13, 2022 08:51 AM
    Hello Rick! Thank you for the update.  Do you have any idea when this next release will be available?  We have been anxiously awaiting it for months now.  I know the pandemic has slowed everything down (except the end of life dates on SQL Server releases) and we want to get the next Optim installed before we migrate to SQL Server 2019.  I also need at least a tentative date to relay to my security team so they know this is being addressed.

    Thank you again!

    ------------------------------
    Deborah Gresham
    ------------------------------



  • 10.  RE: Log4J with Optim Software

    IBM Champion
    Posted Tue January 11, 2022 12:38 PM
    As per my knowledge Optim development team is working on upgrading all the Log4j versions which are in the product but not sure whether it will the version which your security team is asking. 
    IBM Information Server product patch had Log4j version 2.16. So not sure which version will be packaged with Optim.
    We need to wait for a week or two for Optim team to release the fixes after their testing.

    Thanks and regards,
    Vishwas Balakrishna
    Cell: +1 818-309-0972





  • 11.  RE: Log4J with Optim Software

    IBM Champion
    Posted Tue January 11, 2022 12:40 PM
    Or it might be part of Optim 11.7 release. I should not make up the schedule as I am not sure of it.

    Thanks and regards,
    Vishwas Balakrishna
    Estuate, Inc. Princeton, NJ