Connect:Direct Windows
IBM support has provided a remediation step for CDW as below.
CD Windows versions to which these instructions apply: 4.7 (EOS), 4.8, 6.0, 6.1, 6.2 if install agent is presented.
- Disable Install Agent
- Applies to CD Windows versions 4.7, 4.8, 6.0, 6.1, 6.2
- In the Install Agent Parameters section of the Initialization Parameters, set
agent.enable=n
- Disable any “InstallAgent v*” services in the Windows Services console
See https://www.ibm.com/docs/en/connect-direct/6.2.0?topic=parameters-install-agent
For Connect:Direct File Agent software, a newer version (1.4.0.2_iFix013) to fix the CVE has just released.
This version has addressed the applicable CVE (CVE-2021-44228) and updated Log4j to version 2.15.0.
You may download from our server with provided credential if required.
Payment Primer for FPS
To update the Log4j binary,
- Download and extract the log4j-api-2.17.0.jar and log4j-core-2.17.0.jar from the zip file.
- Backup the existing log4j-api-2.11.0.jar and log4j-core-2.11.0.jar under Payment Primer\bin folder.
- Replace these two log4j jar files with the version 2.17. (remove the v2.11 and add the v2.17)
- Test the Payment Primer with FPS files FPSD2006 if possible
For the details:
Fixed in Log4j 2.17.0 https://logging.apache.org/log4j/2.x/security.html
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
CVE-2021-45046:
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
CVE-2021-45105:
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation