cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IdentityIQ log4j Version Verification

IdentityIQ log4j Version Verification

Introduction

Part of the deployment process for any release of IdentityIQ should include a test plan to validate that the deployment contains the desired changes.

For all releases of IdentityIQ including releases, patches, e-fixes, and security fixes, detailed information about the product runtime can be found in the web user-interface at debug/about.jsf when accessed by an IdentityIQ user with the System Administrator capability.  This page shows information for the specific application server that the browser connects to, so in a deployment with multiple application server instances, if there is not a high level of confidence in build and deployment procedures creating consistent instances, you should iterate through visiting each application server instance including servers in the UI and task tier.

IdentityIQ log4j Version Verification

Remediation steps defined in Log4j vulnerabilities documented in CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 define that Log4j should be updated to version 2.17.1. The security fixes released by SailPoint for our products provide that upgrade.

The following steps can be used to create and run a rule that will show the Log4j version in use in an IdentityIQ 8.0 and later instance.

  1. Save the XML document provided below into a file.
  2. Login to IdentityIQ as a user with the System Administrator capability,
  3. Use Import from File on the Gear Icon -> Global Settings page to import the rule definition and create the rule.
  4. Visit debug/debug.jsf, select the rule named Log4j 2 Version in the rule list selection component, and click Run Rule.
  5. Validate that the results displayed when running the rule show 2.17.1:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE String PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<String>2.17.1</String>
  1. Repeat this process for each application server in the deployment including servers in the UI and task servers.

 

Log4j 2 Version Validation Rule

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<sailpoint>

  <Rule language='beanshell' name='Log4j 2 Version'>
    <Signature returnType='String'>
      <Inputs>
        <Argument name='context'>
          <Description>
            A sailpoint.api.SailPointContext object that can be used to
            query the database to aid in correlation.
          </Description>
        </Argument>
        <Argument name='log'>
          <Description>
            log for debugging
          </Description>
        </Argument>
      </Inputs>
      <Returns>
        <Argument name='version'>
          <Description>
            The Log4j 2.x version
          </Description>
        </Argument>
      </Returns>
    </Signature>
    <Source>
      <![CDATA[
        String version = org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion();

        return version;
      ]]>
    </Source>
  </Rule>

</sailpoint>
Comments

IIQ 8.1 is compatible with log4j 2.17

Hi Expert's 

We are getting below error message when copied eFix to SSB.

build	03-Feb-2022 13:22:42	    [unzip] Expanding: D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\base\efix\8.1p2\identityiq-8.1-8.1p2-IIQSAW-3516.zip into D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\build\extract
build	03-Feb-2022 13:22:42	     [echo] Applying efix: base\efix\8.1p2\identityiq-8.1-8.1p3-IIQCB-4610.zip
build	03-Feb-2022 13:22:42	    [unzip] Expanding: D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\base\efix\8.1p2\identityiq-8.1-8.1p3-IIQCB-4610.zip into D:\bamboo-agent\xml-data\IIQ72-IIQ3881-IB\iiq_build_dir\build\extract
build	03-Feb-2022 13:22:42	     [echo] Critical failure while extracting core binaries. Make sure required files exit,
build	03-Feb-2022 13:22:42	     [echo]                             
build	03-Feb-2022 13:22:42	     [echo] 
build	03-Feb-2022 13:22:42	     [echo]                             are not corrupted and a directory exists for /base/efix/x.xpx version your are
build	03-Feb-2022 13:22:42	     [echo]                             building.
build	03-Feb-2022 13:22:42	     [echo] 
build	03-Feb-2022 13:22:42	     [echo]                             Note: You need a directory (Ex. /base/efix/5.1p3 ) even if you don't have any efixes yet.
build	03-Feb-2022 13:22:42	     [echo]                         
error	03-Feb-2022 13:22:42	
error	03-Feb-2022 13:22:42	BUILD FAILED

 

iiqIntegration-ITIM  contains log4j-1.2.17.jar for integration into IBM ISIM.  IBM ISIM has not resolved their issues, but if not using this integration can this WAR be removed from the SSB.  It is being flagged by our vulnerability team. 

If you do not have a configured integration with IBM Security Identity Manager (previously known as IBM Tivoli Identity Manager), then you do not need this file.  IMHO this file should never be in a SSB environment (although my experience with the SSB is limited) because it is not part of the IdentityIQ server deployable artifact.  This is a web application that must be installed in the ISIM/ITIM server.

Version history
Revision #:
6 of 6
Last update:
‎Nov 17, 2022 01:34 PM
Updated by: