Log4Shell Vulnerability Updates

Background

As you may be aware, on December 9th researchers discovered a new global-impacting vulnerability for services that use the Apache Log4j2 library. On December 14th another vulnerability in the Log4j2 library was discovered. These vulnerabilities are dubbed ‘Log4Shell’ and tracked as CVE-2021-44228 and CVE-2021-45046. These vulnerabilities affect thousands of cloud-based services, including Apple, Amazon, and Twitter, and can lead to Remote Code Execution or Denial-of-Service on vulnerable systems.

Please refer to our Frequently Asked Questions (FAQ) section below for more details.

Updates

JANUARY 4, 2022

  • Updated the FedEx Ship Manager Server actions in the Affected Products Third-Party Software section.
  • No further updates to this website are expected unless there are new developments. 

What Manhattan Associates Products Are Affected?  

  • Manhattan Active® Omni  
  • Manhattan Management Console (MMC) – all versions 
  • Manhattan Integration Framework (MIF) – versions 2015+ natively (and via webMethods in MIF 2019+)  
  • Supply Chain Intelligence (SCI) - (via Cognos, see Third Party Software below)  
  • Supply Chain Process Platform (SCPP) – versions 2015+ 
         
    • DFIO/PFIO 
    • DOM 
    • EEM 
    • LM 
    • OLM 
    • SIF 
    • Slotting (2017+)
    • TMS 
    • WMOS 
  • Third Party Software (embedded software only)  
    • Cognos - Manhattan has delivered/deployed updates based on the latest IBM guidance. 
    • FedEx Ship Manager Server – Manhattan had provided early guidance, however, on Jan 3rd, FedEx began to update their affected FSMS versions directly.  Customers should contact their FedEx representative with any questions.  
    • webMethods – Vulnerabilities addressed via the MIF updates 
    • VoiceConsole - See Guidance from Honeywell 
    • SOTI MobiControl -  Guidance from SOTI 
  • Please refer to other third-party software vendor websites for their vulnerability statements  

FEBRUARY 4, 2022

  • Manhattan is aware of a new critical severity vulnerability against the Chainsaw component in Log4j 1.2.x (CVE-2022-23307).
  • Manhattan Associates product versions 2014 and older include Log4j 1.x, however, they do not ship with any base configuration which utilizes Chainsaw.
  • Manhattan Active products do not utilize Log4j 1.2.x or the Chainsaw log viewer.
  • Customers who have configured Chainsaw to stream logging events should stop using Chainsaw and adopt a different logging receiver such as XMLSocketReceiver.

JANUARY 21, 2022

  • IBM has released a new update for Cognos.  Therefore, Manhattan customers who previously received updates for Supply Chain Intelligence (SCI) have been sent an additional email with details regarding this new update.
  • No further updates to this website are expected unless there are new developments.

JANUARY 4, 2022  

  • Updated the FedEx Ship Manager Server actions in the Affected Products Third-Party Software section
  • No further updates to this website are expected unless there are new developments.

DECEMBER 23, 2021

  • All updates and/or remediation steps have been delivered to customers that manage their own environments.  Customers with an affected Manhattan product who may still be expecting a Log4j-related update should contact their project or support team. Note that deliveries for Third Party Software may continue as we get more information from those vendors. 
  • Deployments of cumulative product updates and/or remediation steps for Manhattan-hosted environments is nearing completion as deployments are being scheduled with customers. 
  • No further updates to this website are expected unless there are new developments. 

DECEMBER 22, 2021

  • Updated delivery status table 
  • Delivery and deployment of updates for affected products continues 

DECEMBER 21, 2021

  • Updated delivery status table 
  • Delivery and deployment of updates for affected products continues 

DECEMBER 20, 2021

We have concluded our assessment of the new vulnerability that was announced on 12/18 (related to CVE-2021-45105). At this time, based on our base product configurations, updates to Log4j2 2.17.0 are not required for Manhattan products. Therefore, customers should continue to deploy the updates currently being delivered.

  • Updated delivery status table 
  • Delivery and deployment of updates for affected products continues 

DECEMBER 19, 2021

  • Updated delivery status table
  • Delivery and deployment of updates for affected products continues

DECEMBER 18, 2021

We have received new information concerning another vulnerability in the Log4j2 library published by Apache. This new vulnerability impacts Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, and has been assigned CVE-2021-45105. This vulnerability is currently under review by several industry organizations and we are examining any potential impact to our products. We continue to deliver and deploy updates which include the 2.16.0 and 2.12.2 Log4j libraries while we assess this new vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

  • Updated delivery status table
  • Delivery and deployment of updates for affected products continues

DECEMBER 17, 2021

  • Updated third-party software details in the affected product list 
  • Updated delivery status table
  • Delivery of updates to customers with affected on-premise software continues

DECEMBER 16, 2021

  • Completed updates for all Manhattan Active Omni environments
  • Updated third-party software details in the affected product list 
  • Updated delivery status table
  • Delivery of updates to customers with affected on-premise software continues

DECEMBER 15, 2021

We have received new information concerning the effectiveness of the prior update provided by Apache for the Log4j2 vulnerability. We continue to follow vendor guidance and are including the latest available version of the Log4j2 library in our most recent cumulative product updates which will address both CVE-2021-44228 and CVE-2021-45046.

  • Confirmed no changes to our Affected / Not Affected product lists
  • Cumulative updates for Manhattan Active Omni are being applied to all environments
  • Cumulative updates for SCPP products are built and being prepared for customer delivery

DECEMBER 14, 2021

We are aware of a new development for the Log4j vulnerability classified as CVE-2021-45046 and are actively investigating this issue. More details to come.

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

  • Added third-party software details to the affected product list 
  • Added update delivery status table 
  • Deploying updates for Hosted and Managed customers   

DECEMBER 13, 2021

  • Completed updates for all Manhattan Active® Omni environments
  • Completed updates for TMS SaaS environments
  • Update preparations for SCPP 2017+ are underway
  • Building and testing updates for SCPP 2015/2016 versions
  • Started delivery of available updates to customers

DECEMBER 12, 2021

  • Built update for Manhattan Active® Omni. Applying it to cloud environments
  • Built update for SCPP 2017+ and later versions. Preparing release package
  • Building updates for remaining affected products

DECEMBER 11, 2021

  • Sent initial notification to customers regarding this issue 
  • Created and published FAQ page with details of the vulnerability and affected products 
  • Scanned cloud-hosted environments for susceptibility to this vulnerability 
  • Began building updates for affected products 

DECEMBER 10, 2021 

  • Assessed any potential impact on Manhattan Associates’ products and services 
  • Support and development teams planned updates for any affected applications  
  • Coordinated malware and vulnerability management assistance with industry-leading cybersecurity partners

Updates to this page will continue to be made available throughout the lifecycle of this situation.  Check back often for updates. 

Log4Shell Vulnerability FAQs

What is Log4j? 

Log4j is an open-source, Java-based logging framework commonly incorporated into Apache web servers.  It is a Java library used within many applications and services operated by enterprises. 

What Is The Log4j Vulnerability? 

The Apache Foundation has stated “Apache Log4j2 versions below 2.14.1 have JNDI features used in configuration, log messages, and parameters that do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” 

This vulnerability has a CVSS score of 10.0 which is the highest severity and has been assigned CVE-2021-44228. 

More details of the CVE can be found here -  https://nvd.nist.gov/vuln/detail/CVE-2021-44228 

The Apache Foundation released follow-up information related to a new vulnerability affecting version 2.15.0 of the Log4j library. The new vulnerability can lead to Denial-of-Service on affected systems and has been assigned CVE-2021-45046.

More details of the CVE can be found here - https://nvd.nist.gov/vuln/detail/CVE-2021-45046

What Versions of Log4j Are Affected? 

There are two families of Log4j, 1 and 2.  Log4j2 is affected by this vulnerability between versions 2.0-beta9 through 2.12.1 and 2.13.0 through  2.15.0.       

How Can I Determine If My Systems Are Vulnerable? 

The presence of JAR files belonging to the log4j2 library could indicate an application is potentially susceptible to CVE-2021-44228 and CVE-2021-45046. The specific files to search for should match the following pattern: “log4j-core-*.jar”. 

How Can I Protect My Organization From This Vulnerability? 

The recommended approach to address this vulnerability is to update the affected Apache libraries to the latest version.

Our support and development teams have already begun the process to develop the updates that will be applied to the Apache libraries within our products.

Limiting access to vulnerable systems and environments from unauthorized parties or the Internet may also help reduce the impact of this vulnerability.

What Manhattan Associates Products Are Affected?

  • Manhattan Active® Omni 
  • Manhattan Management Console (MMC) – all versions
  • Manhattan Integration Framework (MIF) – versions 2015+ natively (and via webMethods in MIF 2019+) 
  • Supply Chain Intelligence (SCI) - (via Cognos, see Third Party Software below) 
  • Supply Chain Process Platform (SCPP) – versions 2015+ 
    • DFIO/PFIO 
    • DOM 
    • EEM 
    • LM 
    • OLM 
    • SIF 
    • Slotting (2017+)
    • TMS 
    • WMOS
  • Third Party Software (embedded software only) 
    • Cognos - Manhattan has delivered/deployed updates based on the latest IBM guidance
    • FedEx Ship Manager Server – Manhattan had provided early guidance, however, on Jan 3rd, FedEx began to update their affected FSMS versions directly. Customers should contact their FedEx representative with any questions.
    • webMethods – Vulnerabilities addressed via the MIF updates
    • VoiceConsole - See Guidance from Honeywell
    • SOTI MobiControl -  Guidance from SOTI

  • Please refer to other third-party software vendor websites for their vulnerability statements 

Which Manhattan Associates Products Are Not Affected?

  • Manhattan Active® Warehouse Management
  • Manhattan Active® Transportation Management
  • Manhattan Active® Labor Management
  • Manhattan Active® Allocation
  • SCALE
    • See Third Party Software section in Affected Products for SCI for SCALE
  • Billing Management
  • Carrier Management
  • Warehouse Management for IBMi (WM iSeries)
  • Third Party Software (embedded software only) 
    • ConnectShip (Progistics) 
    • Mark Magic (Cybra) 
    • Logistyx 
    • TouchWarehouse (Zebra) 
  • Please refer to other third-party software vendor websites for their vulnerability statements 

What Environments Are Affected? 

Any environment where an affected Manhattan Associates product is deployed may be affected by this vulnerability.  This includes environments within: 

  • Manhattan Active® Cloud 
  • Manhattan hosted and SaaS  
  • Customer hosted with Manhattan-managed 
  • Customer hosted and managed  

When Will Updates Be Published For Affected Products?

  • All updates and/or remediation steps have been delivered to customers that manage their own environments.  Customers with an affected Manhattan product who may still be expecting a Log4j related update should contact their project or support team. Note that deliveries for Third Party Software may continue as we get more information from those vendors. 
  • Deployments of cumulative product updates and/or remediation steps for Manhattan-hosted environments is nearing completion as deployments are being scheduled with customers. 

What Actions Do Customers Need To Take?

  • Customers should review all systems and applications that interact with any Manhattan Associates product for this vulnerability.  Any systems or applications identified as affected should be evaluated for remediation or workaround.  We recommend working with your IT department before taking any action. 

  • Customers who self-manage an affected Manhattan Associates product should plan to apply an update once it is released.