Skip to main content

Apache Log4j vulnerability

  • Updated

 

Dear TIE Kinetix Customer,

With regard to the Apache Log4j vulnerability, TIE Kinetix has researched the usage of Log4j (especially vulnerable versions 2.0 to 2.14) in our offering.

To what extent are our systems exposed to this threat?
Log4j is not used as the logger technology for any of our applications or application servers.

  • Our core integration engines (TIE Kinetix SmartBridge X and FLOW Document Manager) are .NET based applications and are therefore not affected by this Log4j vulnerability.
  • TIE Kinetix is using different functional modules based on Java (TIE Smart Integrator and the FLOW Portal) which are using other log technologies than Log4j or versions of Log4j 1.X and are therefore not affected by this Log4j vulnerability.

You can find references to Log4j 2.x in some libraries but those are not configured and thus not vulnerable to the hack.

How are we going to address this potential threat?
Our recommendations and actions are based on our current research but may change over time:

  • Even for versions that are not affected, we put in place the recommended remediations following the CVE Website,
  • Even for versions that are not configured/executed we are updating all versions of Log4j 2.x to the latest version (currently 2.17)

For our TIE Kinetix SmartBridge TSBX customers
If you are running TIE Kinetix SmartBridge X (TSBX) locally on your own server or data center, you are not affected by this vulnerability. Log4j versions 1.x  (present on TIE Smart Integrator Execution module) do not offer a look-up mechanism and therefore are not vulnerable to the CVE-2021-44228-Log4Shell.

If, in any case you prefer to add extra configurations:

  • If you are running TSI maps in your environment:
    We recommend to add the recommended parameter ‐DLog4j2.formatMsgNoLookups=True" into “runprocessTSI.bat”. The file can be found in the TsiExecutor subfolder of the TSB installation folder.
    Note: It is important to mention that the included Log4j version there is version 1.x and is therefore not affected by this Log4j vulnerability.
  • If you are not running TSI maps in your environment: You can simply rename “runprocessTSI.bat” to something like “runprocessTSI.bat.no”. The file can be found in the TsiExecutor subfolder of the TSB installation folder. This will allow the loading of the TSIExecutor and thus running any version of Log4j 1.x.

Further communication
Any further communication and messaging will be published directly on this page or as an announcement in the Portal.

Regards,
The TIE Kinetix Operations Team

 

Related articles

Comments

0 comments

Please sign in to leave a comment.