Security Bulletin
Summary
Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager (CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832). The fix addresses the vulnerability by removing Apache Log4j.
Vulnerability Details
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-44832
DESCRIPTION: Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
|
Principal Product and Version(s) |
Affected Supporting Product and Version(s) |
| IBM Security Key Lifecycle Manager (SKLM) v2.7** [EOS] | WebSphere Application Server v9.0.0.1 |
| IBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5 |
| IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5 |
| IBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0 |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5 |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | WebSphere Application Server Liberty 21.0.0.6 |
** IBM Security Key Lifecycle Manager (SKLM) v2.7 - Applicable only for customers with support extension.
Remediation/Fixes
Depending on your SKLM/GKLM version, see the relevant instructions:
For SKLM 3.0, 3.0.1, 4.0
- Also applicable for SKLM 2.7 (only for customers with a support extension contract).
Required step: Apply WAS fix pack
Apply WebSphere Application Server (WAS) 9.0.5.11. For instructions, see How to install WebSphere Application Server fix pack.
Recommended additional step: Upgrade Java
After you apply the WAS fix pack, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
For GKLM 4.1
- Apply WebSphere Application Server (WAS) 9.0.5.11. For instructions, see How to install WebSphere Application Server fix pack.
- Apply GKLM 4.1.0 FP4. You can download it from Fix Central.
Recommended additional step: Upgrade Java
After you apply the WAS fix pack, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
For GKLM 4.1.1
The issues are fixed in GKLM 4.1.1 - Fix Pack 3. You can download it from Fix Central.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
07 Jan 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
04 May 2022
UID
ibm16539408