IBM Support

IBM Tivoli Monitoring - considerations for log4j

News


Abstract

Statement on the impact of log4j on IBM Tivoli Monitoring components

Content

ITM L3/Development completed a review and found that despite the existence of "log4j" files in the ITM directory structure, supported versions of ITM are not impacted by CVE-2021-44228 and other CVEs because the files are not actively used.
This review included a number of CVEs
CVE-2021-4104
CVE-2021-44228
CVE-2021-44832
CVE-2021-45046
CVE-2021-45105
 


Additional information on the impact of log4j in ITM
Q: How do I remediate the presence of log4j in ITM?
A: Apply the provided updates available to everyone
Q: Are there other agents, like ITCAM agents, that are vulnerable, and what action do I take to remediate?
A: Each ITCAM bundle is listed on the Apache Log4j document, check there for updates on the ITCAM bundles.  https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
Q: What should I do if a filesystem scanner reports an issue with a log4j finding?
A: If you have applied all the recommended maintenance this is likely a false positive due to the presence of a mention of log4j.  No action is required.  Scanners may find and report log4j at the version reported in the CVE.  There is a table at the bottom that provides for more information on particular files you might have found.
For example, the affected version of log4j is included if you've installed ITM 630 fix pack 7 service pack 5 or later and updated to WAS 8.5.5.x.  WAS 8.5.5.x includes as an installable application ear file, uddi.ear, but it is not deployed for use and therefore the TEPS system is not vulnerable.   
Q: How do I fix my environment if I am running ITM 630 fix pack 7 before service pack 10?  My concern is the log4j-1-1-1.jar file, which is referenced in kit.inf.
A: You must upgrade the environment to remove this reference.
Q: We have noticed that Installation Manager contains ant-apache-log4.jar.  How can we remediate this? File path is: plugins/org.apache.ant_1.9.6.v201510161327/lib/ant-apache-log4j.jar
A: It doesn't require remediation. This jar does not contain log4j at any version. It includes code to use log4j if a log4j implementation is present, but log4j is not present.
Q: I grepped for "log4j" and found a number of references, what do I do?
A:  Some components include code to use log4j if a log4j implementation is present, but log4j is not present.
For a list of our Security Bulletins for the CVEs that affect ITM check these documents
  • https://www.ibm.com/support/pages/node/6538414
Files you might find
UNIX/LINUX files Change
/cq/classes/api-dep.jar Removed log4j1.x classes with SP10
/cq/lib/jvmcore.jar Removed log4j1.x classes with SP10
/cq/lib/com.ibm.TEPS.EWAS_6.1.4.jar Removed log4j1.x classes with SP10
/cq/lib/ITMREST.ear updated log4j component jars to 2.17.1 with SP10
/iw/plugins/com.ibm.TEPS.EWAS_6.1.4.jar Removed log4j1.x classes with SP10
/iw/profiles/ITMProfile/config/cells/ITMCell/applications/ITMREST.ear/ITMRest.ear updated log4j component jars to 2.17.1 with SP10
/iw/profiles/ITMProfile/installedApps/ITMCell/ITMREST.ear/log4j-1.2-api-2.13.1.jar
updated to log4j-1.2-api-2.17.1.jar
with SP10
/iw/profiles/ITMProfile/installedApps/ITMCell/ITMREST.ear/log4j-api-2.13.1.jar
update to log4j-api-2.17.1.jar
with SP10
/cj/kit.inf Removed in SP10
/cj/lib/console.jar Removed in SP10
/cj/lib/ibmjsse.jar Removed in SP10
/cj/lib/jcf.jar Removed in SP10
/cj/lib/jhall.jar Removed in SP10
/cj/lib/jrim.jar Removed in SP10
/cj/lib/jsafe.zip Removed in SP10
/cj/lib/kit.jar Removed in SP10
/cj/lib/launch.jar Removed in SP10
/cj/lib/log4j-1.1.1.jar Removed in SP10
/cj/lib/log4j-1.1.1.jar Removed in SP10
/cj/lib/nvnways.jar Removed in SP10
/cj/lib/nways_dep.jar Removed in SP10
/cj/lib/tec_tap.jar Removed in SP10
/cj/lib/uif.jar Removed in SP10
/cq/lib/jcf.jar Removed in SP10
/cq/lib/jrim.jar Removed in SP10
/cq/lib/jsafe.zip Removed in SP10
/cq/lib/tec_ui_svr_stubs.jar Removed in SP10
/cw/classes/console.jar Removed in SP10
/cw/classes/ibmjsse.jar Removed in SP10
/cw/classes/jcf.jar Removed in SP10
/cw/classes/jhall.jar Removed in SP10
/cw/classes/jrim.jar Removed in SP10
/cw/classes/jsafe.zip Removed in SP10
/cw/classes/kit.jar Removed in SP10
/cw/classes/launch.jar Removed in SP10
/cw/classes/log4j-1.1.1.jar Removed in SP10
/cw/classes/log4j-1.1.1.jar Removed in SP10
/cw/classes/nvnways.jar Removed in SP10
/cw/classes/nways_dep.jar Removed in SP10
/cw/classes/tec_tap.jar Removed in SP10
/cw/classes/uif.jar Removed in SP10
/cw/console.jar.jnlp Removed in SP10
/cw/ibmjsse.jar.jnlp Removed in SP10
/cw/jcf.jar.jnlp Removed in SP10
/cw/jhall.jar.jnlp Removed in SP10
/cw/jrim.jar.jnlp Removed in SP10
/cw/jsafe.zip.jnlp Removed in SP10
/cw/jsafe.zip Removed in SP10
/cw/Kit.inf Removed in SP10
/cw/kit.jar.jnlp Removed in SP10
/cw/launch.jar.jnlp Removed in SP10
/cw/log4j-1.1.1.jar.jnlp Removed in SP10
/cw/log4j-1.1.1.jar.jnlp Removed in SP10
/cw/nvnways.jar.jnlp Removed in SP10
/cw/nways_dep.jar.jnlp Removed in SP10
/cw/tec_tap.jar.jnlp Removed in SP10
/cw/uif.jar.jnlp Removed in SP10
/iw/installableApps/uddi.ear Removed log4j with WAS 8.55.20.02 patch
Windows files Change
CNPS\classes\api-dep.jar Removed log4j1.x classes with SP10
CNPS\jvmcore.jar Removed log4j1.x classes with SP10
CNPS\com.ibm.TEPS.EWAS_6.1.4.jar Removed log4j1.x classes with SP10
CNPS\ITMREST.ear Updated log4j component jars to 2.17.1 with SP10
CNPSJ\plugins\com.ibm.TEPS.EWAS_6.1.4.jar Removed log4j1.x classes with SP10
CNPSJ\profiles\ITMProfile\config\cells\ITMCell\applications\ITMREST.ear\ITMREST.ear updated log4j component jars to 2.17.1 with SP10
CNPSJ\profiles\ITMProfile\installedApps\ITMCell\ITMREST.ear\log4j-1.2-api-2.13.1.jar updated to log4j-1.2-api-2.17.1.jar with SP10
CNPSJ\profiles\ITMProfile\installedApps\ITMCell\ITMREST.ear\log4j-api-2.13.1.jar updated to log4j-api-2.17.1.jar
with SP10
CNB\classes\console.jar Removed in SP10
CNB\classes\ibmjsse.jar Removed in SP10
CNB\classes\jcf.jar Removed in SP10
CNB\classes\jhall.jar Removed in SP10
CNB\classes\jrim.jar Removed in SP10
CNB\classes\jsafe.zip Removed in SP10
CNB\classes\Kit.inf Removed in SP10
CNB\classes\kit.jar Removed in SP10
CNB\classes\launch.jar Removed in SP10
CNB\classes\log4j-1.1.1.jar Removed in SP10
CNB\classes\log4j-1.1.1.jar Removed in SP10
CNB\classes\nvnways.jar Removed in SP10
CNB\classes\nways_dep.jar Removed in SP10
CNB\classes\tec_tap.jar Removed in SP10
CNB\classes\uif.jar Removed in SP10
CNB\console.jar.jnlp Removed in SP10
CNB\ibmjsse.jar.jnlp Removed in SP10
CNB\jcf.jar.jnlp Removed in SP10
CNB\jhall.jar.jnlp Removed in SP10
CNB\jrim.jar.jnlp Removed in SP10
CNB\jsafe.zip.jnlp Removed in SP10
CNB\kit.jar.jnlp Removed in SP10
CNB\launch.jar.jnlp Removed in SP10
CNB\log4j-1.1.1.jar.jnlp Removed in SP10
CNB\log4j-1.1.1.jar.jnlp Removed in SP10
CNB\nvnways.jar.jnlp Removed in SP10
CNB\nways_dep.jar.jnlp Removed in SP10
CNB\tec_tap.jar.jnlp Removed in SP10
CNB\uif.jar.jnlp Removed in SP10
CNP\console.jar Removed in SP10
CNP\ibmjsse.jar Removed in SP10
CNP\jcf.jar Removed in SP10
CNP\jhall.jar Removed in SP10
CNP\jrim.jar Removed in SP10
CNP\jsafe.zip Removed in SP10
CNP\Kit.inf Removed in SP10
CNP\kit.jar Removed in SP10
CNP\launch.jar Removed in SP10
CNP\log4j-1.1.1.jar Removed in SP10
CNP\log4j-1.1.1.jar Removed in SP10
CNP\nvnways.jar Removed in SP10
CNP\nways_dep.jar Removed in SP10
CNP\tec_tap.jar Removed in SP10
CNP\uif.jar Removed in SP10
CNPS\jcf.jar Removed in SP10
CNPS\jrim.jar Removed in SP10
CNPS\jsafe.zip Removed in SP10
CNPS\tec_ui_svr_stubs.jar Removed in SP10
CNPSJ\installableApps\uddi.ear Removed log4j with WAS 8.55.20.02 patch

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"ARM Category":[{"code":"a8m500000008bokAAA","label":"Security-\u003EVulnerabilities"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 May 2022

UID

ibm16525824

Page Feedback