It's all about the answers!

Ask a question

log4j vulnerabilty on JTS

Fons Maathuis (25417) | asked Dec 20 '21, 10:27 a.m.


As we all know, there is a vulnerability on log4j versions prior to 2.16. IBM released an ifix to update the current version log4j (which is v2.13) to v2.15. But that only updates the mxbeanscollections. When I do a search in the installdirectory from the JTS, I find three locations where the log4j-api and log4j-core jars are used. I've updated these locations with the 2.17 verions but when I start the JTS, I find that v2.13 is copied to C:\Program Files\ibm\JazzTeamServer_702_opl\server\liberty\servers\clm\workarea\org.eclipse.osgi\92\data\temp\default_node\SMF_WebContainer\rm\rm\eclipse\configuration\org.eclipse.osgi\410\0.cp. So I'd expect that this version still is in use. Tried to do a reset for the RM but same result. 
Using a liberty installation, so no -clean should be used. 

Anybody has a clue how to update to v2.17?


Accepted answer

permanent link
Dinesh Kumar B (4.1k413) | answered Dec 21 '21, 3:07 a.m.
Hi Fons,

For RM 702, please follow the remediation #2 from the Security Bulletin :

The bulletin mentioned above talks about other ELM products and optional components that the Development Team found impacted by CVE-2021-44228 and has provided the steps to remediate each of them.

With the steps from the remediation, you will be at v2.15.  For getting to 2.16 or later and for other vulnerabilities, please wait for Security Bulletins to be released. 

Fons Maathuis selected this answer as the correct answer

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.