A critical vulnerability in the log4j library used in IdentityIQ was announced and is being tracked by CVE-2021-44228.
SailPoint has reproduced this vulnerability and determined that IdentityIQ 8.0 and later is susceptible to remote code execution because of it. The level of risk is highly dependent on the components and level of logging that are configured for IdentityIQ in the deployed environment. Some IdentityIQ components receive user-defined input prior to authentication, so this vulnerability could be exploited in some environments before successful authentication to IdentityIQ.
This vulnerability can and should be immediately mitigated by introducing a JVM system property to all IdentityIQ runtime environments including the application server hosting the IdentityIQ server, the IdentityIQ console, and the IdentityIQ Cloud Gateway (not all customers use the IdentityIQ Cloud Gateway). Specifically, as documented in the content for the CVE referenced above, setting log4j2.formatMsgNoLookups to true will prevent the vulnerability from being exploited. This is typically configured in the application startup scripts by defining JVM options or arguments to include -Dlog4j2.formatMsgNoLookups=true as a JVM command line argument.
For the application server environment hosting the IdentityIQ server (Tomcat, JBoss, WebSphere, WebSphere Liberty, or WebLogic), please consult the application server documentation for guidance on the most appropriate method for setting JVM system properties for your deployment configuration. This could be modifying an environment variable in a startup script, modifying directives in a configuration file, or using a CLI command to make changes. In almost all cases, the application server will need to be re-started for the change to take effect.
For the IdentityIQ console launch script in WEB-INF/bin/iiq and WEB-INF/bin/iiq.bat, modify the script to add the JVM argument -Dlog4j2.formatMsgNoLookups=true to the LAUNCHER_OPTS environment variable.
For customers that utilize the IdentityIQ Cloud Gateway to create a distributed connector deployment architecture, modify the bin/catalina.sh or bin/catalina.bat startup script in the Tomcat instance that hosts the Cloud Gateway to add the JVM argument -Dlog4j2.formatMsgNoLookups=true to the JAVA_OPTS environment variable.
IdentityIQ 7.3 and earlier is not susceptible to this vulnerability as long as an appender that uses JMSAppender is not in use. Inspection of WEB-INF/classes/log4j.properties will show the appenders that are configured.
The IdentityIQ Connector Gateway used for mainframe connectivity is not susceptible to this vulnerability as long as an appender that uses JMSAppender is not in use. Inspection of log4j.properties will show the appenders that are configured.
Other Windows-based IdentityIQ components (Desktop Password Reset, Active Directory Password Interceptor, and IQService) are not susceptible to this vulnerability since they do not use the Java log4j library.
At a future date, SailPoint will provide security fixes to update the log4j library to version 2.15.0 or later to permanently remove the vulnerability, but the JVM system property described above is an equivalent resolution that can and should be immediately applied.
The entire SailPoint team is available to answer any question you may have about this vulnerability or how to proceed with the mitigation steps. If you have questions, please contact your Customer Success Manager, Engagement Manager, or Partner Manager.