Description:

HCL has released a security alert to address the Apache log4j vulnerability in the following product:

• HCL Commerce
  • 7
  • 8
  • 9.0.0.x
  • 9.0.1.x
  • 9.1.x

Threats:

A remote attacker could exploit this vulnerability by executing arbitrary code.

Best practice and Recommendations:
The CERT team encourages users to review HCL security advisory and apply the necessary mitigation according to the affected version:

• HCL Commerce v8 with WebSphere v8.5.5 + Java 1.7
  • HCL Commerce 8 ships Log4j v1 jar, but it's not being used. You can remove it if you are concerned:
    • WC\lib\log4j.jar
      Search\lib\log4j.jar

• HCL Commerce v8 with WebSphere v8.5.5 + Java 1.8
  • HCL Commerce 8 ships Log4j v1 jar, but it's not being used. You can remove it if you are concerned:
    • WC\lib\log4j.jar
      Search\lib\log4j.jar

• HCL Commerce v9.0.0.0 - v9.0.0.13
  • WebSphere Application Server:
    1. Remove `systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar` from ts-app if exposing the WAS admin console.  See "How to remove files from the Docker image" (below).
       
    2. If you have optionally configured the WAS Sample UDDI registry in ts-app, set system property `‐Dlog4j2.formatMsgNoLookups=true`.  See "How to set the system property" (below).

• HCL Commerce v9.0.1.0 - v9.0.1.17
  • WebSphere Application Server:
    1. Remove `systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar` from ts-app if exposing the WAS admin console.  See "How to remove files from the Docker image" (below).
       
    2. If you have optionally configured the WAS Sample UDDI registry in ts-app, set system property `‐Dlog4j2.formatMsgNoLookups=true`.  See "How to set the system property" (below).

• HCL Commerce v9.1.0 - 9.1.8 with Solr Search
  • WebSphere Application Server:
    1. Remove `systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar` from ts-app if exposing the WAS admin console.  See "How to remove files from the Docker image" (below).
       
    2. If you have optionally configured the WAS Sample UDDI registry in ts-app, set system property `‐Dlog4j2.formatMsgNoLookups=true`.  See "How to set the system property" (below).

• HCL Commerce v9.1.0 - 9.1.6 with Elastic Search
  • If using the provided helm charts, the Ingress rules do not enable external access to your search-nifi-app.  If you have opened Ingress access to search-nifi-app, you will either need to close this access or upgrade to HCL Commerce 9.1.7 or above.
    1. Customize your search-ingest-app Docker image to set the system property `‐Dlog4j2.formatMsgNoLookups=true`.  See "How to set the system property" (below).

• HCL Commerce v9.1.7 - 9.1.8 with Elastic Search
  • HCL Commerce:
    • Customize both your search-ingest-app and search-nifi-app Docker images to set the system property `‐Dlog4j2.formatMsgNoLookups=true`.  See "How to set the system property" (below).
  • WebSphere Application Server:
    1. Remove `systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar` from ts-app if exposing the WAS admin console.  See "How to remove files from the Docker image" (below).
       
    2. If you have optionally configured the WAS Sample UDDI registry in ts-app, set system property `‐Dlog4j2.formatMsgNoLookups=true`.  See "How to set the system property" (below).

For more information:

• https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095493