Apache Log4j 2 Vulnerability (CVE-2021-44228)

Connect:Direct Windows

IBM support has provided a remediation step for CDW as below.

CD Windows versions to which these instructions apply: 4.7 (EOS), 4.8, 6.0, 6.1, 6.2 if install agent is presented.

  1. Disable Install Agent
  2. Applies to CD Windows versions 4.7, 4.8, 6.0, 6.1, 6.2
  3. In the Install Agent Parameters section of the Initialization Parameters, set agent.enable=n
  4. Disable any “InstallAgent v*” services in the Windows Services console
    See https://www.ibm.com/docs/en/connect-direct/6.2.0?topic=parameters-install-agent

For Connect:Direct File Agent software, a newer version (1.4.0.2_iFix013) to fix the CVE has just released.
This version has addressed the applicable CVE (CVE-2021-44228) and updated Log4j to version 2.15.0.

You may download from our server with provided credential if required.

 

Payment Primer for FPS

To update the Log4j binary,

  1. Download and extract the log4j-api-2.17.0.jar and log4j-core-2.17.0.jar from the zip file.
  2. Backup the existing log4j-api-2.11.0.jar and log4j-core-2.11.0.jar under Payment Primer\bin folder.
  3. Replace these two log4j jar files with the version 2.17. (remove the v2.11 and add the v2.17)
  4. Test the Payment Primer with FPS files FPSD2006 if possible

For the details:

Fixed in Log4j 2.17.0  https://logging.apache.org/log4j/2.x/security.html

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

CVE-2021-45046:
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations

CVE-2021-45105:
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation