Peter Beentje Posted December 13, 2021 Share Posted December 13, 2021 We have received news about a security advisory for log4j2, a logging module present in Spotfire software: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 In the Server documentation a license file shows that log4j2 version 2.14.1 is used for Spotfire Server 10.10.6 LTS, so this version at least is susceptible to this vulnerability. The recommended solution for this version of log4j is tosetsystem property "log4j2.formatMsgNoLookups" to true" when launching the log4j2 jar, i.e.: java -Dlog4j2.formatMsgNoLookups=true -jar xyz.jarWhere should this switch be added for Server 10.10.6 My server tools point tohttps://spotfi.re/admin-guide-10-10/, but the entire spotfi.re domain returns 403 forbidden for me. Link to comment Share on other sites More sharing options...
Rohit Naidu - No Longer at Nielsen Posted December 13, 2021 Share Posted December 13, 2021 This is appplicable to 11.4.0 version as well. any idea how to fix this Link to comment Share on other sites More sharing options...
Fredrik Rosell Posted December 13, 2021 Share Posted December 13, 2021 Hello, Please refer to to TIBCO Knowledge Base articleTIBCO Spotfire Mitigation for CVE-2021-44228 (Log4Shell)for Spotfire-specific instructions regarding how to handle this issue. For general TIBCO information on this topic, please refer to TIBCO Knowledge Base articleApache Log4J Vulnerability and Impact to TIBCO Products and Services Best Regards Fredrik Link to comment Share on other sites More sharing options...
Alexander Furner Posted December 13, 2021 Share Posted December 13, 2021 Hi I found this article in the support portal that has the mitigation steps.... https://support.tibco.com/s/article/TIBCO-Spotfire-Mitigation-for-CVE-20... Thanks Link to comment Share on other sites More sharing options...
Dener Rodrigues Posted December 13, 2021 Share Posted December 13, 2021 Which directory and file or files should the line be inserted Link to comment Share on other sites More sharing options...
Mounika Chikoti Posted December 13, 2021 Share Posted December 13, 2021 how to know the log4j version used in spotfire server we have 11.4 and 10.10 Link to comment Share on other sites More sharing options...
Sharad Honavar Posted December 13, 2021 Share Posted December 13, 2021 Thank You. I went through the mitigation doc and seems to be directed at Spotfire Server users. However I am running Streambase Liveview servers developed in Spotfire Datastreams 10.6. WIll I be affected, and if so, what do I need to do to mitigate Link to comment Share on other sites More sharing options...
Peter Beentje Posted December 14, 2021 Author Share Posted December 14, 2021 The log4j version for Spotfire Server 10.10 is 2.14.1 according to the license file. Per rohit's comment this is also the case for 11.4. Please see Fredrik's answer for the resolution to use until the hotfix is available. Link to comment Share on other sites More sharing options...
Fredrik Rosell Posted December 14, 2021 Share Posted December 14, 2021 Hello, For any specific questions about this issue, please open a case in the TIBCO Support portal - https://support.tibco.com - and our support team will assist you. Thank you Fredrik Rosell (TIBCO) Link to comment Share on other sites More sharing options...
Fredrik Rosell Posted December 14, 2021 Share Posted December 14, 2021 For anyone wanting to look up the log4j version for your specific TIBCO Spotfire Server version: 1. Go to the TIBCO Docs site, the TIBCO Spotfire Server section: https://docs.tibco.com/products/tibco-spotfire-server-11-6-0 2. Select your version from the drop down. 3. In general, the document TIBCO Spotfire Server License Agreement will list the log4j version. If you don't find it, you may also find it in the document Release Notes Spotfire Server, which will list it if it has been updated in a service pack. In general though, for any specific questions you might have, please open a case in the TIBCO Support portal - https://support.tibco.com - and our support team will assist you.Thank you Fredrik Rosell (TIBCO) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now