log4j vulnerabilty on JTS
Hi,
As we all know, there is a vulnerability on log4j versions prior to 2.16. IBM released an ifix to update the current version log4j (which is v2.13) to v2.15. But that only updates the mxbeanscollections. When I do a search in the installdirectory from the JTS, I find three locations where the log4j-api and log4j-core jars are used. I've updated these locations with the 2.17 verions but when I start the JTS, I find that v2.13 is copied to C:\Program Files\ibm\JazzTeamServer_702_opl\server\liberty\servers\clm\workarea\org.eclipse.osgi\92\data\temp\default_node\SMF_WebContainer\rm\rm\eclipse\configuration\org.eclipse.osgi\410\0.cp. So I'd expect that this version still is in use. Tried to do a reset for the RM but same result.
Using a liberty installation, so no -clean should be used.
Anybody has a clue how to update to v2.17?
regards
Fons
Accepted answer
Hi Fons,
For RM 702, please follow the remediation #2 from the Security Bulletin : https://www.ibm.com/support/pages/node/6527732
The bulletin mentioned above talks about other ELM products and optional components that the Development Team found impacted by CVE-2021-44228 and has provided the steps to remediate each of them.
With the steps from the remediation, you will be at v2.15. For getting to 2.16 or later and for other vulnerabilities, please wait for Security Bulletins to be released.