Apache Log4J Vulnerability Update

The TIBCO Security team is aware of the recently announced Apache Log4J vulnerability (CVE-2021-44228), referred to as “Log4Shell”. Performing these attacks requires an attacker to have control of log messages, or at least the parameters for a given log message. This vulnerability theoretically enables arbitrary code to be executed on the affected system.

TIBCO’s Security Team is actively monitoring the information coming out about the Apache Log4J Vulnerability and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

We will provide updates as more information becomes available and we complete our investigation. This information will include which TIBCO products and services are affected and how customers and users of those products and services can best mitigate or protect themselves from being exploited by this vulnerability.

For more information on the vulnerability, please see the following references:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
• https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0