Introduction
Part of the deployment process for any release of IdentityIQ should include a test plan to validate that the deployment contains the desired changes.
For all releases of IdentityIQ including releases, patches, e-fixes, and security fixes, detailed information about the product runtime can be found in the web user-interface at debug/about.jsf when accessed by an IdentityIQ user with the System Administrator capability. This page shows information for the specific application server that the browser connects to, so in a deployment with multiple application server instances, if there is not a high level of confidence in build and deployment procedures creating consistent instances, you should iterate through visiting each application server instance including servers in the UI and task tier.
IdentityIQ log4j Version Verification
Remediation steps defined in Log4j vulnerabilities documented in CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 define that Log4j should be updated to version 2.17.1. The security fixes released by SailPoint for our products provide that upgrade.
The following steps can be used to create and run a rule that will show the Log4j version in use in an IdentityIQ 8.0 and later instance.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE String PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<String>2.17.1</String>
Log4j 2 Version Validation Rule
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Rule language='beanshell' name='Log4j 2 Version'>
<Signature returnType='String'>
<Inputs>
<Argument name='context'>
<Description>
A sailpoint.api.SailPointContext object that can be used to
query the database to aid in correlation.
</Description>
</Argument>
<Argument name='log'>
<Description>
log for debugging
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name='version'>
<Description>
The Log4j 2.x version
</Description>
</Argument>
</Returns>
</Signature>
<Source>
<![CDATA[
String version = org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion();
return version;
]]>
</Source>
</Rule>
</sailpoint>
IIQ 8.1 is compatible with log4j 2.17
Hi Expert's
We are getting below error message when copied eFix to SSB.
build 03-Feb-2022 13:22:42 [unzip] Expanding: D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\base\efix\8.1p2\identityiq-8.1-8.1p2-IIQSAW-3516.zip into D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\build\extract build 03-Feb-2022 13:22:42 [echo] Applying efix: base\efix\8.1p2\identityiq-8.1-8.1p3-IIQCB-4610.zip build 03-Feb-2022 13:22:42 [unzip] Expanding: D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\base\efix\8.1p2\identityiq-8.1-8.1p3-IIQCB-4610.zip into D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\build\extract build 03-Feb-2022 13:22:42 [echo] Critical failure while extracting core binaries. Make sure required files exit, build 03-Feb-2022 13:22:42 [echo] build 03-Feb-2022 13:22:42 [echo] build 03-Feb-2022 13:22:42 [echo] are not corrupted and a directory exists for /base/efix/x.xpx version your are build 03-Feb-2022 13:22:42 [echo] building. build 03-Feb-2022 13:22:42 [echo] build 03-Feb-2022 13:22:42 [echo] Note: You need a directory (Ex. /base/efix/5.1p3 ) even if you don't have any efixes yet. build 03-Feb-2022 13:22:42 [echo] error 03-Feb-2022 13:22:42 error 03-Feb-2022 13:22:42 BUILD FAILED
iiqIntegration-ITIM contains log4j-1.2.17.jar for integration into IBM ISIM. IBM ISIM has not resolved their issues, but if not using this integration can this WAR be removed from the SSB. It is being flagged by our vulnerability team.
If you do not have a configured integration with IBM Security Identity Manager (previously known as IBM Tivoli Identity Manager), then you do not need this file. IMHO this file should never be in a SSB environment (although my experience with the SSB is limited) because it is not part of the IdentityIQ server deployable artifact. This is a web application that must be installed in the ISIM/ITIM server.