Update (22nd December 2021 8:30 UTC)
Thank you to everyone who has actively participated in this KBA. We trust that the questions asked and the responses given have been of benefit to wider understanding of the mitigation of CVE-2021-44228 with respect to IFS products and services. Questions have however now started to move beyond this particular CVE and in to the area of customer-specific issues that are hard to track in a single threaded article, so this KBA is now closed to further comments. If you have product support issues please therefore report them through your usual support channel, or if you have questions or advice to share related to your experience with mitigating this vulnerability, please use the appropriate Community forum.
IFS has made significant progress in understanding the impact of CVE-2021-44228, known colloquially as Log4j, upon our products and services. It is important to note that only a limited number of IFS products are affected and IFS is currently preparing a service update for those affected products. We will update the table below as we identify and implement mitigations. Understanding, mitigating and remediating this vulnerability is our absolute priority.
Thank you for your patience while we complete this process.
IFS Applications 10 on-premise and remote environments
The following instruction applies ONLY to IFS Application 10 on-premise and remote environments. It does NOT apply to instances of IFS Applications 10 hosted in the IFS Cloud Service or to any other IFS product of any version, including other versions of IFS Applications. For such other products, versions or alternative deployments please refer back to the table above.
Within this scope, mitigation is available as the following zip file: https://portal.ifsworld.com/ifsapp_sec_patch/IFS_Solution_298974.zip
After downloading the file, please unzip it to find the installation instructions and an embedded zip file containing the mitigation.
Installation is very straightforward, but if it is unsuccessful for any reason or in the unlikely event that your users report follow-on problems with the environment, please restore your backup and if you wish, seek assistance by posting to this KBA.
Note that installation is completely independent of any other deliveries and can be applied to any of the IFS Applications 10 releases made so far up to and including update 14. As the instructions explain, the mitigation only needs to be applied once per environment.
IFS Developer Studio
The latest versions of IFS Developer Studio (21.82 and 10.82) bundle the older versions (i.e. 1.x) of log4j as part of the tool's installation and which is based on NetBeans. These versions of log4j are not impacted by the CVE-2021-44228 vulnerability.
Important Note: During the development of Java based projection functionality for projects targeting IFS Applications 10 and above, vulnerable log4j libraries (i.e. versions 2.x below 2.15), may be fetched from a shared "project root" while performing a build. The built application is subsequently deployed to a local server running on the developer's computer thereby generating a vulnerability on that machine.
Please ensure vulnerable versions of log4j libraries are not included in customizations and integration development.
In the next update of IFS Developer Studio for versions 21.82 and 10.82 we will provide a mitigation fix recommended by the log4j maintainers as part of the tool’s local project build process. We will notify you both in IFS Community as well as the IFS Developer Portal when this particular update is available along with the relevant updated version.
Please note: the tool usually updates itself automatically, but alternatively you can select Help/Check For Updates from the tool’s menu.
Other IFS development tools are not impacted by this vulnerability.
We will continue to publish updates regarding status on our main bulletin thread associated with CVE-2021-44228 which will also identify when the above information has been updated.