Log4j2 security: CVE-2021-44228

[Peter Beentje]

We have received news about a security advisory for log4j2, a logging module present in Spotfire software:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

In the Server documentation a license file shows that log4j2 version 2.14.1 is used for Spotfire Server 10.10.6 LTS, so this version at least is susceptible to this vulnerability. The recommended solution for this version of log4j is tosetsystem property "log4j2.formatMsgNoLookups" to true" when launching the log4j2 jar, i.e.:

java -Dlog4j2.formatMsgNoLookups=true -jar xyz.jarWhere should this switch be added for Server 10.10.6

 

My server tools point tohttps://spotfi.re/admin-guide-10-10/, but the entire spotfi.re domain returns 403 forbidden for me.

[Rohit Naidu - No Longer at Nielsen]

This is appplicable to 11.4.0 version as well. any idea how to fix this

[Fredrik Rosell]

Hello,

 

Please refer to to TIBCO Knowledge Base articleTIBCO Spotfire Mitigation for CVE-2021-44228 (Log4Shell)for Spotfire-specific instructions regarding how to handle this issue.

For general TIBCO information on this topic, please refer to TIBCO Knowledge Base articleApache Log4J Vulnerability and Impact to TIBCO Products and Services

 

Best Regards

Fredrik

[Alexander Furner]

Hi

I found this article in the support portal that has the mitigation steps....

https://support.tibco.com/s/article/TIBCO-Spotfire-Mitigation-for-CVE-20...

Thanks

[Dener Rodrigues]

Which directory and file or files should the line be inserted

[Mounika Chikoti]

how to know the log4j version used in spotfire server we have 11.4 and 10.10

[Sharad Honavar]

Thank You. I went through the mitigation doc and seems to be directed at Spotfire Server users. However I am running Streambase Liveview servers developed in Spotfire Datastreams 10.6. WIll I be affected, and if so, what do I need to do to mitigate 

[Peter Beentje]

The log4j version for Spotfire Server 10.10 is 2.14.1 according to the license file. Per rohit's comment this is also the case for 11.4.

 

Please see Fredrik's answer for the resolution to use until the hotfix is available.

[Fredrik Rosell]

Hello,

 

For any specific questions about this issue, please open a case in the TIBCO Support portal - https://support.tibco.com - and our support team will assist you.

 

Thank you

 

Fredrik Rosell (TIBCO)

 

 

 

 

[Fredrik Rosell]

For anyone wanting to look up the log4j version for your specific TIBCO Spotfire Server version:

1. Go to the TIBCO Docs site, the TIBCO Spotfire Server section:

https://docs.tibco.com/products/tibco-spotfire-server-11-6-0

2. Select your version from the drop down.

3. In general, the document TIBCO Spotfire Server License Agreement will list the log4j version. If you don't find it, you may also find it in the document Release Notes Spotfire Server, which will list it if it has been updated in a service pack. In general though, for any specific questions you might have, please open a case in the TIBCO Support portal - https://support.tibco.com - and our support team will assist you.Thank you

Fredrik Rosell (TIBCO)