- Products & services Products & services
- Resources ResourcesLearning
- Learning
- Identity University Get technical training to ensure a successful implementation
- SailPoint professional certifications & credentials Advance your career or validate your identity security knowledge
- SailPoint recertification program Get recertified by demonstrating ongoing learning
- Training onboarding guide Make of the most of training with our step-by-step guide
- Training FAQs Find answers to common training questions
- Community Community
- Compass
- :
- Discuss
- :
- Community Wiki
- :
- IdentityIQ Wiki
- :
- IdentityIQ log4j Version Verification
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Content to Moderator
IdentityIQ log4j Version Verification
IdentityIQ log4j Version Verification
Introduction
Part of the deployment process for any release of IdentityIQ should include a test plan to validate that the deployment contains the desired changes.
For all releases of IdentityIQ including releases, patches, e-fixes, and security fixes, detailed information about the product runtime can be found in the web user-interface at debug/about.jsf when accessed by an IdentityIQ user with the System Administrator capability. This page shows information for the specific application server that the browser connects to, so in a deployment with multiple application server instances, if there is not a high level of confidence in build and deployment procedures creating consistent instances, you should iterate through visiting each application server instance including servers in the UI and task tier.
IdentityIQ log4j Version Verification
Remediation steps defined in Log4j vulnerabilities documented in CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 define that Log4j should be updated to version 2.17.1. The security fixes released by SailPoint for our products provide that upgrade.
The following steps can be used to create and run a rule that will show the Log4j version in use in an IdentityIQ 8.0 and later instance.
- Save the XML document provided below into a file.
- Login to IdentityIQ as a user with the System Administrator capability,
- Use Import from File on the Gear Icon -> Global Settings page to import the rule definition and create the rule.
- Visit debug/debug.jsf, select the rule named Log4j 2 Version in the rule list selection component, and click Run Rule.
- Validate that the results displayed when running the rule show 2.17.1:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE String PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<String>2.17.1</String>- Repeat this process for each application server in the deployment including servers in the UI and task servers.
Log4j 2 Version Validation Rule
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Rule language='beanshell' name='Log4j 2 Version'>
<Signature returnType='String'>
<Inputs>
<Argument name='context'>
<Description>
A sailpoint.api.SailPointContext object that can be used to
query the database to aid in correlation.
</Description>
</Argument>
<Argument name='log'>
<Description>
log for debugging
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name='version'>
<Description>
The Log4j 2.x version
</Description>
</Argument>
</Returns>
</Signature>
<Source>
<![CDATA[
String version = org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion();
return version;
]]>
</Source>
</Rule>
</sailpoint>
