At the request of customers and the IBM Corporate Information Security Officer (CISO), we have coordinated an update across all IBM Engineering Lifecycle Management (ELM) products to replace Apache Log4j version 1 with Log4j version 2.17. We will no longer ship Log4j version 1 libraries. See IBM Engineering Lifecycle Management adopts log4j v2 in all applications (removing log4jv1).
For existing installations of IBM ELM applications version 7.0.1, either an upgrade to 7.0.2 SR1 or side-by-side installation to 7.0.1 SR1 is required (not a full upgrade) to fully remove Log4j version 1 bits. Steps to upgrade to 7.0.2 SR1 are in the interactive upgrade guide and the side-by-side installation is documented in technote How to perform a side-by-side installation to deploy the IBM Engineering Lifecycle Management log4j v1 vulnerability remediation release. Any future maintenance releases for 7.0.1 will need to start with 7.0.1 SR1 as a base.
For existing installations of IBM ELM applications version 7.0.2, a side-by-side installation is required (not a full upgrade) to fully remove Log4j version 1 bits. Steps to do so are documented in technote How to perform a side-by-side installation to deploy the IBM Engineering Lifecycle Management log4j v1 vulnerability remediation release. Any future maintenance releases for 7.0.2 will need to start with 7.0.2 SR1 as a base.
If you have changed or added any log4j directives to customize the logging in the IBM ELM applications, you will need to migrate your changes. See technote How to update log4j v2 configuration files after upgrading to Engineering Lifecycle Management 7.0.2 SR1 (iFix015).If you have changed or added any log4j directives to customize the logging in the IBM ELM applications, you will need to migrate your changes. See technote How to update log4j v2 configuration files after upgrading to Engineering Lifecycle Management 7.0.2 SR1 (iFix015) and 7.0.1 SR1 (iFix018).
Customers with deployments earlier than 7.0.1 will need to upgrade to 7.0.1 SR1 or 7.0.2 SR1 to fully remove Log4j version 1. We recommend all customers upgrade to 7.0.2 SR1 rather than 7.0.1 SR1.
For new installations, use the latest IBM ELM installer.
Frequently asked questions :
- Will log4jv1 bits be completely removed from ELM installations?
- Yes. Only log4jv2 libraries will remain.
- Will installation instructions be provided?
- Yes. The instructions are simpler than a full ELM GA
- DB updates and re-indexing will NOT be required.
- Where do we download the updates?
- Jazz.net
- Fix central
- Passport Advantage
- Will I need to run “repotools –addTables”?
- No. Side-by-side installation does not involve schema changes so data migration, transformation, or re-indexing is not required.
- Upgrading to 7.0.2 SR1 from an ELM version 6.x release requires the standard documented data migration steps
- Can I skip the ELM 7.01 SR1 or 7.0.2 SR1 install and just get future iFixes?
- No. ELM 7.0.1 SR1/7.0.2 SR1 (with log4jv2) will be the basis of all future iFixes for their respective releases.
- Future iFixes will not be compatible with older versions of ELM that use log4jv1
- Will traditional iFix installations be the same in the future?
- Yes. This side-by-side install is only necessary to remove log4jv1 bits from customer’s systems. Once upgraded to ELM 7.0.1 SR1 or 7.0.2 SR1 as the base, subsequent iFixes will be applied as they have traditionally.
- Is the logging output the same with log4jv2?
- Yes. The content is the same but the format will conform to the log4jv2 format.
- Are there any file name changes?
- Configuration files: from log4j.properties to log4j2.xml, startup_log4j.properties to startup_log4j2.xml
- Log rollovers: from xxx.log.1 to xxx.1.log
- Do EWM clients need special handling?
- No. EWM maintenance upgrades are installed as usual
- Existing EWM clients are compatible with the SR1 release
You must be logged in to post a comment.