Is LANSA Integrator affected by LOG4J - Log4Shell vulnerability CVE-2021-44228?

[dvanoni]

Hi,

we are checking internally the applications that are using Log4J library in order to update the library or try to mitigate che Log4shell vulnerability published here https://cve.mitre.org/cgi-bin/cvename.c ... 2021-44228 or see also here https://www.kaspersky.com/blog/log4shel ... g4j/43124/.

I noticed that Lansa Integrator uses Log4J library. How can we mitigate the issue in Lansa Integrator? Is there some official news from Lansa about that?

Thanks

[jimwatterson]

Security Bulletin: Apache Log4j2 Issue (CVE-2021-44228)

Idera is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228). We are actively monitoring this issue, and are working on our own internal review to determine if any of our systems or services could be affected.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version, available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.

Thank you for your cooperation.
Idera Security / Compliance Team.

[adale]

Here is what I got from John Bo:
Hi, there. LANSA Integrator has this jar in the IFS folder "jsm/instance/jar", but I am not sure if your application uses it at all.
LANSA developers are aware of the issue, working on a solution.
In the mean time please remove jsmlog4j.jar from "jsm/instance/jar" folder, restart JSM and test Integrator related application. Most likely features your application use won't be affected without this jar on your system.
I have some older Integrator functions we build quite a while back, and they are still working fine after removing the jsmlog4j.jar file.