Informix Products and the Log4J vulnerability, Fixes Available

Scott Pickett
Jan 7, 2022 8:00 AM
Scott Pickett
As you know, IBM informix has been affected by the Log4j vulnerability. There are three separate issues here, all of which are fixed by the latest fixes to Informix Server versions 12.10.FC15 and 14.10.FC6 and 14.10.FC7 for all editions.
Today we have posted the latest release of Informix 14.10.FC7W1 to Fix Central here:
This new release is an outright replacement for 14.10.FC6 and 14.10.FC7; these releases are going to be discontinued and permanently withdrawn from service. You should discontinue all usage of 14.10.FC6 and 14.10.FC7 as soon as possible as they are not secure across all editions.
Today we have posted the latest release of Informix 12.10.FC15 to Fix Central here:
There are two updated files at the link above which are the Informix-server.jar and informix-agent.jar files for InformixHQ, for the current release of InformixHQ 1.6.3. These are the same files incorporated into 14.10.FC7W1. There will be a full pack release of 12.10.FC15W1 with the installer for release number purposes in the near future. You should apply the interim fix to the 12.10,FC15 release, as it is not secure across all editions and will be withdrawn permanently from service once the new fix is GA, the date for which is presently unknown.
Finally, the Informix Cloud Pak For Data 4.0.5 will be GA on Jan 16 and also has the Informix fixes for the NEO4J within and available. Upgrade instructions links below will be updated on January 16th with updated commands:
and here:
If you are running earlier versions of Informix Cloud Pak for Data based on Informix 14.10.FC6 or Informix 14.10.FC7, for any available Informix Edition, be advised that those Informix Editions have the known log4j security vulnerabilities and should no longer be run. You should upgrade your version of Informix Cloud Pak for Data as soon as possible.
The 14.10 Fix applies to users with Informix On Cloud that are using any of the above affected versions of Informix. The fix for Informix on Cloud users is the same as outlined above.
The above are the only known IBM Informix server products at this time to be affected by the Log4J vulnerability.
Further info:

Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix workaround

Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228):

Scott Pickett
IBM Informix WW Technical Sales IBM Expert Labs
IBM Informix WW Cloud Technical Sales IBM Expert Labs
IBM Informix WW Cloud Technical Sales ICIAE IBM Expert Labs
IBM Informix WW Informix Warehouse Accelerator Sales IBM Expert Labs
Boston, Massachusetts USA
33 Years Informix User
The current Informix Roadshow presentations are here:…

All presentations and the agenda used by the Roadshow can be found there.

Website for Internet Of Things for Informix