Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IdentityIQ log4j Version Verification

IdentityIQ log4j Version Verification

Introduction

Part of the deployment process for any release of IdentityIQ should include a test plan to validate that the deployment contains the desired changes.

For all releases of IdentityIQ including releases, patches, e-fixes, and security fixes, detailed information about the product runtime can be found in the web user-interface at debug/about.jsf when accessed by an IdentityIQ user with the System Administrator capability.  This page shows information for the specific application server that the browser connects to, so in a deployment with multiple application server instances, if there is not a high level of confidence in build and deployment procedures creating consistent instances, you should iterate through visiting each application server instance including servers in the UI and task tier.

IdentityIQ log4j Version Verification

Remediation steps defined in Log4j vulnerabilities documented in CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 define that Log4j should be updated to version 2.17.1. The security fixes released by SailPoint for our products provide that upgrade.

The following steps can be used to create and run a rule that will show the Log4j version in use in an IdentityIQ 8.0 and later instance.

  1. Save the XML document provided below into a file.
  2. Login to IdentityIQ as a user with the System Administrator capability,
  3. Use Import from File on the Gear Icon -> Global Settings page to import the rule definition and create the rule.
  4. Visit debug/debug.jsf, select the rule named Log4j 2 Version in the rule list selection component, and click Run Rule.
  5. Validate that the results displayed when running the rule show 2.17.1:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE String PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<String>2.17.1</String>
  1. Repeat this process for each application server in the deployment including servers in the UI and task servers.

 

Log4j 2 Version Validation Rule

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<sailpoint>

  <Rule language='beanshell' name='Log4j 2 Version'>
    <Signature returnType='String'>
      <Inputs>
        <Argument name='context'>
          <Description>
            A sailpoint.api.SailPointContext object that can be used to
            query the database to aid in correlation.
          </Description>
        </Argument>
        <Argument name='log'>
          <Description>
            log for debugging
          </Description>
        </Argument>
      </Inputs>
      <Returns>
        <Argument name='version'>
          <Description>
            The Log4j 2.x version
          </Description>
        </Argument>
      </Returns>
    </Signature>
    <Source>
      <![CDATA[
        String version = org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion();

        return version;
      ]]>
    </Source>
  </Rule>

</sailpoint>
Comments
anil_bandlamudi
‎Jan 05, 2022 03:46 AM
‎Jan 05, 2022 03:46 AM

IIQ 8.1 is compatible with log4j 2.17

bkshah16
‎Feb 03, 2022 01:29 AM
‎Feb 03, 2022 01:29 AM

Hi Expert's 

We are getting below error message when copied eFix to SSB.

build	03-Feb-2022 13:22:42	    [unzip] Expanding: D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\base\efix\8.1p2\identityiq-8.1-8.1p2-IIQSAW-3516.zip into D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\build\extract
build	03-Feb-2022 13:22:42	     [echo] Applying efix: base\efix\8.1p2\identityiq-8.1-8.1p3-IIQCB-4610.zip
build	03-Feb-2022 13:22:42	    [unzip] Expanding: D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\base\efix\8.1p2\identityiq-8.1-8.1p3-IIQCB-4610.zip into D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\build\extract
build	03-Feb-2022 13:22:42	     [echo] Critical failure while extracting core binaries. Make sure required files exit,
build	03-Feb-2022 13:22:42	     [echo]                             
build	03-Feb-2022 13:22:42	     [echo] 
build	03-Feb-2022 13:22:42	     [echo]                             are not corrupted and a directory exists for /base/efix/x.xpx version your are
build	03-Feb-2022 13:22:42	     [echo]                             building.
build	03-Feb-2022 13:22:42	     [echo] 
build	03-Feb-2022 13:22:42	     [echo]                             Note: You need a directory (Ex. /base/efix/5.1p3 ) even if you don't have any efixes yet.
build	03-Feb-2022 13:22:42	     [echo]                         
error	03-Feb-2022 13:22:42	
error	03-Feb-2022 13:22:42	BUILD FAILED

 

tswitz00
‎Feb 04, 2022 10:51 AM
‎Feb 04, 2022 10:51 AM

iiqIntegration-ITIM  contains log4j-1.2.17.jar for integration into IBM ISIM.  IBM ISIM has not resolved their issues, but if not using this integration can this WAR be removed from the SSB.  It is being flagged by our vulnerability team. 

david_crow
‎Feb 04, 2022 11:27 AM
‎Feb 04, 2022 11:27 AM

If you do not have a configured integration with IBM Security Identity Manager (previously known as IBM Tivoli Identity Manager), then you do not need this file.  IMHO this file should never be in a SSB environment (although my experience with the SSB is limited) because it is not part of the IdentityIQ server deployable artifact.  This is a web application that must be installed in the ISIM/ITIM server.

Version history
Revision #:
6 of 6
Last update:
‎Nov 17, 2022 01:34 PM
Updated by:
SailPoint Employee
 
View Article History