Hi Danny and all other Optim Users!
The Technote Danny references
(https://www.ibm.com/support/pages/node/6525890) has just been updated. Please review it. It does address the following 4 CVEs:
CVE-2021-45046: This is for Log4j 2.x, which Optim 11.3 does not use or include and therefore Optim 11.3 is not vulnerable to this.
CVE-2021-44228: This is for Log4j 2.x, which Optim 11.3 does not use or include and therefore Optim 11.3 is not vulnerable to this.
CVE-2021-4104: This is for Log4j 1.2.x, which Optim 11.3 includes. Remediation instructions are provided in the Technote.
CVE-2019-17571: This is for Log4j 1.2.x, which Optim 11.3 includes. Remediation instructions are provided in the Technote.
In regards to upgrading to log4j 2.x, this will not be done. We are working on removing all use of log4j in our next release.
Rick Spagna
Optim Development
UNICOM Global
------------------------------
Regards,
Rick Spagna
Optim Development Director
UNICOM Global
------------------------------
Original Message:
Sent: Tue January 11, 2022 12:21 PM
From: Danny Lankford
Subject: Log4J with Optim Software
IBM's support note on this. Just FYI.
https://www.ibm.com/support/pages/node/6525890
------------------------------
Danny Lankford
3M - IT Manager
Original Message:
Sent: Tue January 11, 2022 12:12 PM
From: Mark Crawford
Subject: Log4J with Optim Software
Our organization's security team has asked that we ensure ALL versions of log4j are upgraded to 2.17.1. Can you provide guidance on how we can get the Optim products to this level?
------------------------------
Mark Crawford
Original Message:
Sent: Mon January 10, 2022 04:34 PM
From: Vishwas Balakrishna
Subject: Log4J with Optim Software
Hello Danny,
CVE-2021-4428 and CVE-2021-45046 are confirmed on log4j 2.x. Optim does not use this version of log4j and is therefore not vulnerable to these CVEs.Thanks and regards,
Vishwas Balakrishna
Estuate, Inc. Princeton, NJ
Original Message:
Sent: 1/10/2022 4:02:00 PM
From: Danny Lankford
Subject: Log4J with Optim Software
Anyone else find Log4J vulnerabilities with your Optim Products? Our security folks scanned us an found Optim Connect Server related Log4j Vulnerability.
Apache Log4j Unsupported Version Detection Path : E:\IBM Optim\Connect\Server\Lib\log4j-1.2.15.jar Installed version.
I have a few ideas for workarounds but just curious what you all are doing to remediate?
------------------------------
Danny Lankford
3M - IT Manager
------------------------------
#InfoSphereOptim
#Optim