Public Notice

Apache Log4J Vulnerability Daily Update 

12 December 2021

TIBCO continues to work on investigating and identifying mitigations for the Apache Log4J vulnerability (CVE-2021-44228), referred to as the “Log4Shell” vulnerability. The sections below contain the current status of these efforts. TIBCO continues to make the investigation and remediation of this vulnerability its top priority.

Here is the current status as of the publication time of this update.

CLARIFICATIONS FROM PREVIOUS UPDATES

  • TIBCO® BPM Enterprise 4.3.x product line (formerly known as TIBCO® ActiveMatrix BPM) is not vulnerable to this issue, however if a customer has implemented the JMSAppender class they should check to make sure they don’t expose this vulnerability. For more details see https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
    • TIBCO continues to investigate TIBCO® BPM Enterprise 5.x.
  • TIBCO BusinessWorks™ 5.14.0 (TRA 5.11.x) and prior are not vulnerable to this issue, however if a customer has implemented the JMSAppender class they should check to make sure they don’t expose this vulnerability. For more details see - https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
    • TIBCO BusinessWorks™ 5 version 5.15.0 (TRA 5.12.0) is still under investigation.
    • TIBCO is still investigating the BusinessWorks 5 ecosystem that depends on BusinessWorks 5.15.0 (TRA 5.12.0).

 

TIBCO products whose current standard support versions either do not use Apache Log4J or are not on an affected version of Log4J:

(new information from previous updates is in bold)

  • TIBCO ActiveMatrix® Service Grid Platform
  • TIBCO ActiveSpaces® version 4.x
  • TIBCO Apache Kafka Distribution
  • TIBCO® API Exchange Gateway
  • TIBCO® BPM Enterprise 4.3.x (formerly known as TIBCO® ActiveMatrix BPM) (see update above)
  • TIBCO BusinessWorks™ 5 (see update above)
  • TIBCO BusinessWorks 6 Runtime version 6.8.0 and previous versions
  • TIBCO BusinessWorks Container Edition Runtime version 2.7.0 and previous versions
  • TIBCO Data Science for TIBCO Spotfire Analyst Version
  • TIBCO Enterprise Message Service™ 
  • TIBCO Enterprise Message Service™ Appliance (EMSA)
  • TIBCO Flogo® Enterprise and all connectors
  • TIBCO FTL® and eFTL
  • TIBCO® Graph Database
  • TIBCO® GeoAnalytics
  • TIBCO LABS™ Project Discover
  • TIBCO Rendezvous® version 8.5.1 and above
  • TIBCO Scribe® Insight
  • TIBCO Scribe® Online
  • TIBCO Statistica

 

TIBCO products that have remediation documentation available: