TeamConnect Log4j Vulnerability Remediation

Last updated
Save as PDF

TeamConnect Log4j Remediation

TeamConnect Hosted Updates

Last update: Jan-07-2022 10:30 AM CT

Mitratech has concluded its initial investigations on its applications and infrastructure. Mitratech is continuing to remediate its hosting environments as needed per changing guidance. Please contact Mitratech Support if any questions.

Please see the following updates for our 3^rd party Hosted TeamConnect Integrations.

SAP Business Objects – SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228
TCBI – Remediated on 2021-Dec-13
ElasticSearch - Remediated on 2021-Dec-10
SAML: Log4j 1.X is used for SAML TeamConnect and therefore not vulnerable
Data Warehouse - Log4j 1.x is used for Data Warehouse for TeamConnect and is not vulnerable.

TeamConnect On Premise Updates for CVE-2021-44228 (ACTION REQUIRED BY CUSTOMER)

Last update: May-06-2022 15:38 PM CT

In regard to vulnerabilities in CVE-2021-44228, on-premise installations of TeamConnect may contain modules of log4j 2.X, depending on the version. Log4j 2 mitigations in TeamConnect are below.

TeamConnect 6.3.5 (available now) no longer includes the vulnerable log4j 2.x core files. It does still include the log4j-api 2.11.1 jar (controlled by ElasticSearch) which is not impacted by the vulnerability. TC 6.3.5 and higher are therefore not impacted by the CVE-2021-44228. However, manual remediation for log4j-api is achievable by following the steps below, if so desired.

TeamConnect 6.3.6 includes both log4j-core and log4j-api 2.17.1 files.

Manual Remediation for TeamConnect 6.3.4 or lower and third party integrated applications:

Instructions for remediation of log4j 2.x for integrated applications provided by Mitratech are listed in Step 3.

Please note that guidance may change as we receive continued updates from our vendors and third parties.

STEP 1: Replace affected log4j 2.x files:

Stop your instance of TeamConnect
Using a ZIP utility, locate and remove log4j-api*.jar and log4j-core*.jar in the WEB-INF\lib\ folder located in the .war archive file.

If you are running TeamConnect 5.1 through 6.3.4 (JDK 1.8):
- Copy log4j-api-2.17.1.jar and log4j-core-2.17.1.jar into the WEB-INF\lib\ folder located in the .war archive file.
- Redeploy from your updated war file to start your instance
- Links to Jar files: https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip

If you are running TeamConnect 4.2 through 5.0.x (JDK 1.7):
- Copy log4j-api-2.12.4.jar and log4j-core-2.12.4.jar into the WEB-INF\lib\ folder located in the .war archive file.
- Redeploy from your updated war file to start your instance
- Links to Jar files: https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.4/apache-log4j-2.12.4-bin.zip
If you are running TeamConnect 4.1.x or lower - skip to Step 2

STEP 2: Verify log4j 1.x JMS appender is not enabled:

Log4J 1.X is used for TeamConnect, but is not specifically vulnerable to CVE-2021-44228 unless the JMS Appender is enabled. This is not enabled by default in Log4j 1.X.

Located WEB-INF\classes log4j.properties
Open the file and validate that JMS Appender has not been configured

Search for log4j.appender.jms*

While Mitratech's immediate focus is on remediating Log4J 2.X issues, Mitratech is assessing Log4J 1.X, and the existence of other vulnerabilities in 1.X will be addressed in a future release.

STEP 3: Address 3rd Party products as needed:

Please check the following Vendors for remediation guidance for these integrations into TeamConnect:

SAP Business Objects – SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228
- https://launchpad.support.sap.com/#/notes/3129956
TCBI (Sisense) – NOTE: Do not upgrade your version of Sisense. Instead, apply the patch to your existing version as per guidance by Sisense (both 7.1 and 8.2 are covered by the patch): https://community.sisense.com/t5/sisense-community-blog/sisense-log4j-statement/ba-p/1559?attachment-id=18
ElasticSearch for Global Search - NOTE: Do not upgrade your version of ElasticSearch. Instead, follow guidance below:
- TeamConnect version 6.1 or Higher (ElasticSearch 7.x)
- TeamConnect version 6.0 or Lower (ElasticSearch 5.3)
SAML: Log4j 1.X is used for SAML TeamConnect and is not vulnerable CVE-2021-44228.
Data Warehouse - Log4j 1.x is used for Data Warehouse for TeamConnect and is not vulnerable to CVE-2021-44228.

CVE-2021-4104 (Log4j 1.x)

TeamConnect: Log4j 1.x fully removed from TeamConnect as of 6.3.5 patch 1 and replaced with reload4j

SAML - a release of the SAML module which replaces log4j 1.x with reload4j will be available in Q2 2022; dates will be updated as they become available.

Data Warehouse - a release of the SAML module which replaces log4j 1.x with reload4j will be available in Q2 2022; dates will be updated as they become available.