Critical Severity

An update on the Apache Log4j 2.x vulnerabilities

Share this post:

Update on IBM’s response:
IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely.

IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate or remediate these vulnerabilities in products and services that already have released a remediation based on Log4j 2.15.

With so much active industry research on Log4j, mitigation and remediation recommendations will evolve. We are actively assessing the latest Log4j developments and will share updates accordingly.


Table of Contents


Blog Update February 11, 3:42pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 31, 5:06pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 27, 10:35am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update January 24, 5:32pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 19, 4:35pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 18, 8:35pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update January 15, 10:25am
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 11, 10:30pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update January 10, 6:13pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 10, 8:25am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 7, 4:07pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

A link to the IBM Cloud Security Bulletins page been added for IBM Cloud Services updates on more recent Log4j 2.x vulnerabilities.

Blog Update January 7, 11:20am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 6, 4:20pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 5, 2:16pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 5, 1:50pm
The reference list of security bulletins for remediated products has been updated with links to help better find the Log4j-related bulletins published for that product.

Blog Update January 5, 10:32am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 4, 5:27pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update January 4, 2:30pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 28, 10:01am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 27, 3:33pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 26, 8:10pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 24, 4:35pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 23, 1:53pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 23, 10:00am
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 22, 9:50pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 22, 5:20pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 22, 3:37pm
The CVE-2021-44228 mitigation from Apache referenced below has been updated to reflect the latest guidance on Apache’s advisory page.

Blog Update December 22, 1:40pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 22, 11:15 am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 21, 8:41 pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 21, 6:51 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 21, 5:21 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 21, 1:45 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 21, 11:55 am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 20, 6:02 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 20, 12:50 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 20, 12:18 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 20, 10:35 am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 20, 9:57 am
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 18, 9:05 pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 18, 11:45 am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 17, 11:14 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 17, 5:35 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 17, 4:18 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 17, 4:12 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 17, 2:20 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 17, 12:22 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 17, 11:33 am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 have been updated.

Blog Update December 17, 9:09 am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 16, 6:30 pm
The list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 16, 5:42 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j

Blog Update December 16, 4:25 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated to distinguish between IBM Cloud Services and other products.

A list of published Security Bulletins for Log4j 2.x CVE-2021-44228 has also been added to the Remediated Products section. This list will continue to be updated.

Blog Update December 16, 1:55 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of IBM Cloud Services that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.

Blog Update December 15, 8:35 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated. The list will continue to be updated.

Blog Update December 15, 7:15 pm
A list of IBM Cloud Services that have been remediated for Log4j 2.x CVE-2021-44228 is provided below. The list will continue to be updated.

Blog Update December 15, 5:03 pm
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 has been updated. The list will continue to be updated.

December 15, 4:00 pm
A list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 is provided below. The list will continue to be updated.

December 12
Additional details added specific to each of IBM’s business areas.

December 11
Initial blog release


Summary of IBM’s response to Apache Log4j CVE-2021-44228

IBM is actively responding to the remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). We are investigating and taking action for IBM as an enterprise, IBM products and IBM services that may be potentially impacted, and will continually publish information to help customers detect, investigate and mitigate attacks, if any, to their IBM products and services. 

IBM Enterprise
IBM is continuing to inventory our products and systems potentially impacted by the vulnerability. As necessary, we are removing Log4j or updating to the latest version of Log4j that fixes the vulnerability, and applying mitigations in the interim, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability. 

IBM Software and Systems Products
IBM understands the critical nature of this issue and the need to provide a complete response for all IBM products as soon as possible. IBM development teams are working around the clock to complete the investigation and, as needed, any remediation on this vulnerability.

IBM follows ethical vulnerability disclosure management practices. Such practices are the standard in the industry, required in our contracts, and required by standards and regulations such as from the US NIST/CISA. This means that IBM does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available. If an IBM Software or Systems product is impacted, there will be a bulletin posted on either this IBM PSIRT blog, or the IBM Z and LinuxOne Security Portal, as a soon as a remediation or fix becomes available. Such on-premise IBM products will then need to be updated by the customer as defined within the related security bulletin.

NOTE: If you are running an End of Life/End of Service product, we encourage you to upgrade your product as soon as possible. If you have a product that has a current service extension that includes new defect support and you cannot upgrade to a supported version immediately, please visit the appropriate portal for available fixes or open a support case via standard channels

NOTE: The following link provides general information about the IBM Z and LinuxOne Security Portal and how to access/register: https://www.ibm.com/it-infrastructure/z/capabilities/system-integrity

IBM Consulting
IBM Consulting will continue to work directly with its clients in support of the remediation of custom applications and services through its normal delivery center and platform support processes. 

IBM Security
The IBM X-Force team of hackers, responders, researchers, intelligence analysts and investigators are actively engaged in the response to Log4jShell. Detection and Indicators of Compromise (IOCs) for IBM Security tools are being published on the IBM X-Force Exchange.  

The IBM Managed Security Services (MSS) organization also is reviewing all systems to eliminate the vulnerability. The team is tracking patch releases for impacted platforms that IBM Security Services manages. Clients may see Security Advisory tickets and requests to patch managed devices in the MSS portal. 

Assistance for customers suspecting potential compromise also is available 24/7 via IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. (Note: Requests for updates on IBM products and services should not be directed to this hotline.  Instead, see the Affected Products section below).

IBM Cloud and as-a-Service Products
For IBM Cloud services, IBM is remediating managed as-a-service Cloud offerings as applicable, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability. 

Clients who have deployed their own applications using IBM Cloud Kubernetes Service, Red Hat OpenShift, Cloud Foundry, Code Engine, Cloud Functions, or virtual and bare metal machines are responsible for remediating any Log4j vulnerabilities running on those services.  

For the portion of IBM Cloud services using Java technologies, IBM is continuing to assess and remediate any remaining services using Log4j and validate that mitigating controls remain effective. 

NOTE: For IBM Cloud Services updates on more recent Log4j 2.x vulnerabilities (CVE-2021-45105 and CVE-2021-45046) refer to the IBM Cloud Security Bulletin page.

IBM’s recommendations to its clients:

At this time, IBM recommends organizations running Apache Log4j take the following actions: 

  • Check for vulnerable versions of Apache Log4j in your environments and applications.
  • Implement latest patch to production environments as soon as possible. 
  • Monitor IBM PSIRT for security bulletins
  • Monitor for vendor patches as they become available
  • Implement network controls such as egress controls or Web Application Firewalls to limit exploitation of new vulnerabilities.

Reference material can be found at the Apache.org Log4j Security Vulnerability page. 

Per the Apache Log4j security vulnerability advisory, the following temporary mitigation may provide interim protection for clients who are unable to upgrade Log4j in their workloads quickly: in releases 2.x to 2.15, this behavior can be mitigated by removing the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.


IBM X-Force also has provided an analysis of the Log4j vulnerability, which can be found on the IBM Security Intelligence blog

Users of IBM’s Cloud Internet Services, powered by Cloudflare, may use the Web Application Firewall feature to mitigate attacks against their own workloads hosted in IBM Cloud, by detecting and blocking requests that attempt to exploit the vulnerability. More details are available at https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ 

IBM recommends that users of IBM Cloud’s firewall services, including Fortigate, Juniper vSRX, Security Groups, and Network ACLs, should configure their firewalls to block unauthorized outbound connections to mitigate against this and similar vulnerabilities. In addition, Fortigate has released IPS rules to detect and block this specific vulnerability (https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability), as has Juniper (https://threatlabs.juniper.net/home/search/#/details/?sigtype=ips&sigid=HTTP:APACHE:LOG4J-JNDI-MGNR-RCE). If you are using a next generation firewall appliance from another supplier, IBM recommends contacting the firewall vendor for specific guidance for mitigating the Log4j vulnerability.


Products not Impacted

IBM’s initial analysis has determined that the following IBM Cloud Services and Products are not susceptible to the Log4j 2.x CVE-2021-44228 vulnerability. Additional IBM Z product information can be found in the IBM Z and LinuxOne Security Portal and additional IBM Cloud Services information can be found on the IBM Cloud Security Bulletins page.

This list is not final.

IBM Cloud Services

  • Analytics Engine Serverless
  • App Configuration
  • App Connect
  • Bare Metal Servers
  • Block Storage
  • Block Storage for VPC
  • Block Storage Snapshots for VPC
  • Blockchain Platform on IBM Cloud
  • Client VPN for VPC
  • Cloud Activity Tracker
  • Cloud Backup
  • Cloud Load Balancer
  • Cloud Monitoring
  • Cloud Satellite
  • Cloud Virtual Server for VPC
  • Code Engine
  • Cognos Mobile for BlackBerry Dynamics (mobile app)
  • Compose Enterprise
  • Compose for Elasticsearch
  • Compose for etcd
  • Compose for MongoDB
  • Compose for MySQL
  • Compose for PostgreSQL
  • Compose for RabbitMQ
  • Compose for Redis
  • Compose for RethinkDB
  • Compose for ScyllaDB
  • Content Delivery Network
  • Databases for DataStax
  • Databases for EDB
  • Databases for Elasticsearch
  • Databases for etcd
  • Databases for MongoDB
  • Databases for PostgreSQL
  • Databases for Redis
  • Dedicated Host for VPC
  • Direct Link Connect
  • Direct Link Connect on Classic
  • Direct Link Dedicated (2.0)
  • Direct Link Dedicated Hosting on Classic
  • Direct Link Dedicated on Classic
  • Direct Link Exchange on Classic
  • DNS Services
  • Event Notifications
  • Event Streams
  • File Storage
  • Flow Logs for VPC
  • Functions
  • Hyper Protect Crypto Services
  • IBM Benefit Modeler
  • IBM Case Manager on Cloud
  • IBM CareNotes
  • IBM Flexible Analytics – Watson Health Cloud
  • IBM Liberty for Java for IBM Cloud
  • IBM Micromedex NeoFax & Pediatrics
  • IBM Micromedex Formulary
  • IBM Security Verify for Android (mobile app)
  • IBM Security Verify for iOS (mobile app)
  • IBM RED BOOK
  • IBM Workload Automation on Cloud
  • IBM X-Force Exchange
  • Key Protect
  • Kubernetes Service
  • Load Balancer for VPC
  • Log Analysis & Cloud Activity Tracker
  • MaaS360 Android Mobile Apps (mobile app)
  • MaaS360 iOS Mobile Apps (mobile app)
  • Mass Data Migration
  • OrbitalRX
  • Red Hat OpenShift on IBM Cloud
  • Schematics
  • Secrets Manager
  • Secure Gateway
  • SQL Query
  • Transit Gateway
  • Virtual Private Cloud
  • Virtual Server for Classic
  • VPN for VPC
  • Weather Company Fusion
  • Weather Company Pilotbrief
  • Watson Language Translator

Products

  • A9000/R
  • AIX
  • Application Gateway
  • Case Manager
  • Cloud foundry for IBM cloud Private
  • Cloud Pak for Data (IBM DB2 Event Store for CP4D)
  • Cognos Command Center
  • Cognos Integration Server
  • Confluent Platform for IBM Cloud Pak for Integration
  • Content Collector for SAP Applications
  • Content Integrator Enterprise Edition
  • Copy Services Manager
  • Datapower Gateway
  • DataStax Enterprise with IBM
  • Datastax enterprise with IBM for IBM Cloud Pak for Data
  • EDB Postgres Advanced Server with IBM
  • EDB PostgreSQL with IBM
  • Emptoris Contract Management
  • Emptoris Program Management
  • Emptoris Sourcing
  • Emptoris Spend Analysis
  • Emptoris Supplier Lifecycle Management
  • Enterprise Content Management System Monitor
  • Enterprise Tape Controller Model C07 (3592) (ETC)
  • FileNet Image Services
  • FileNet Integrated Document Management Desktop, Web Services, and Open Client
  • Financial Transaction Manager for Corporate Payment Services for MP 2.1.1
  • Financial Transaction Manager for Immediate Payments for Multiplatforms (Base)
  • Financial Transaction Manager for SWIFT Services for Multiplatforms
  • Flash System 900 (& 840)
  • FlashSystem v9000
  • GSKit
  • HATS (Host Access Transformation Services)
  • HOD (Host On-Demand)
  • i2 Analyst’s Notebook
  • i2 Analyst’s Notebook
  • i2 Base
  • i2 iBase
  • IBM Accelerator Catalog
  • IBM Analytical Decision Management
  • IBM Application Gateway
  • IBM Application Runtime Expert for i
  • IBM Aspera Endpoint
  • IBM Aspera Enterprise (including all product components)
  • IBM Aspera Enterprise on Demand
  • IBM Aspera fasp.io
  • IBM Aspera on Cloud
  • IBM B2B Advanced Communications
  • IBM Backup, Recovery and Media Services for i
  • IBM Blockchain Platform
  • IBM Blockchain Platform for IBM Cloud Private
  • IBM Business Automation Workflow
  • IBM Business Process Manager
  • IBM Business space
  • IBM b-type Switches and Directors
  • IBM Call Center for Commerce
  • IBM CareDiscovery Electronic Quality Measures
  • IBM CareDiscovery Quality Measures
  • IBM Cloud API Gateway
  • IBM Cloud Automation Manager
  • IBM Cloud Event Management on IBM Cloud Private
  • IBM Cloud Orchestrator
  • IBM Cloud platform common services
  • IBM COBOL for AIX
  • IBM COBOL for Linux on X86
  • IBM COBOL for Windows
  • IBM Cognos Analytics (versions 11.0.5 and lower – see security bulletin for later versions)
  • IBM Cognos Analytics Mobile  / IBM Cognos Analytics Mobile for Android and iOS
  • IBM Cognos Analytics Reports for Android
  • IBM Cognos Analytics Reports for iOS
  • IBM Cognos Command Center
  • IBM Cognos Controller (versions 10.4.1 and lower)
  • IBM Cognos Integration Server
  • IBM Cognos Planning
  • IBM Communications Server for AIX
  • IBM Communications Server for Data Center Development
  • IBM Content Classification
  • IBM Content Collector for SAP
  • IBM Content Manager Enterprise Edition
  • IBM Control Desk
  • IBM c-type Switches and Directors
  • IBM Data Management Platform for EDB Postgres Enterprise
  • IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data
  • IBM Data Management Platform for EDB Postgres Standard
  • IBM Data Management Platform for EDB Postgres Standard for IBM Cloud Pak for Data
  • IBM Data Management Platform for MongoDB Enterprise Advanced for IBM Cloud Pak for Data
  • IBM Data Server Driver for JDBC and SQLJ & IBM Data Server Driver for ODBC and CLI components of Db2 Advanced Enterprise Server Edition
  • IBM Data Server Manager
  • IBM Data Studio
  • IBM Database Add-Ins for Visual Studio
  • IBM Db2 Connect
  • IBM Db2 Event Store
  • IBM Db2 Merge Backup for Linux, UNIX and Windows
  • IBM Db2 Mirror for i
  • IBM Db2 Recovery Expert for Linux, UNIX and Windows
  • IBM Decision Optimization Center
  • IBM Edge Application Manager
  • IBM Emptoris Contract Management
  • IBM Emptoris Program Management
  • IBM Emptoris Services Procurement
  • IBM Emptoris Sourcing
  • IBM Emptoris Spend Analysis
  • IBM Emptoris Strategic Supply Management Platform
  • IBM Emptoris Supplier Lifecycle Management
  • IBM Engineering Systems Design Rhapsody – Model Manager
  • IBM enterprise records
  • IBM FHIR Server
  • IBM FileNet Image Services
  • IBM FileNet IS HDS connectors
  • IBM FileNet Print
  • IBM FileNet Content Manager
  • IBM FileNet High Performance Image Report
  • IBM Financial Crimes Insight for Entity Research
  • IBM FlashSystem 5000 Series
  • IBM FlashSystem 7000 Series
  • IBM FlashSystem 9000 Series
  • IBM Flexible Analytics
  • IBM Fluid Query
  • IBM Health Insights Adhoc Report Writer (Previously known as IBM Advantage Suite Adhoc Report Writer)
  • IBM HTTP Server
  • IBM i Access Client Solutions
  • IBM i Access Family
  • IBM i Access Family – Access for Web
  • IBM i Advanced DBCS Printer Support
  • IBM i Advanced Function Printing
  • IBM i Advanced Job Scheduler
  • IBM i AFP DBCS Fonts
  • IBM i AFP Font Collection
  • IBM i AFP Fonts
  • IBM i Business Graphics Utility
  • IBM i CICS
  • IBM i Communications Utilities
  • IBM i Cryptographic Device Manager
  • IBM i Db2 Query Manager and SQL Development Kit
  • IBM i Db2 UDB Extenders
  • IBM i Developer Kit for Java
  • IBM I Facsimile Support
  • IBM i HTTP Server
  • IBM i InfoPrint Designer
  • IBM i InfoPrint Fonts
  • IBM i InfoPrint Server
  • IBM i Integrated Domino Facsimile
  • IBM i Job Scheduler
  • IBM i Managed System Services
  • IBM i Network Authentication Enablement
  • IBM i Performance Tools
  • IBM i Portable Utilities
  • IBM i Query
  • IBM i Rational Application Management Toolset
  • IBM i Rational Development Studio
  • IBM i Rational Open Access, RPG Edition
  • IBM i System Manager
  • IBM i System/38 Utilities
  • IBM i TCP/IP Utilities
  • IBM i Transform Services
  • IBM i Universal Manageability Enablement
  • IBM i WebSphere Development Studio
  • IBM i XML Toolbox
  • IBM ILOG CP
  • IBM ILOG CPLEX Optimization Studio
  • IBM InfoSphere Data Architect
  • IBM Installation Manager
  • IBM Integration Bus Healthcare Pack
  • IBM Integration Bus Retail Pack
  • IBM Kenexa LCMS Premier
  • IBM Kenexa LMS
  • IBM Market Expert
  • IBM MarketScan Treatment Pathways
  • IBM Maximo APM – Asset Health Insights SaaS
  • IBM Maximo Asset Performance Management On-Premises
  • IBM Maximo Enterprise Adapter Oracle
  • IBM Maximo Enterprise Adapter SAP
  • IBM Maximo for Nuclear Power
  • IBM Maximo for Oil and Gas
  • IBM Maximo for Transportation
  • IBM Maximo for Utilities
  • IBM Maximo Health, Safety, and Environment Manager
  • IBM Maximo MRO Inventory Optimization
  • IBM Maximo Spatial Asset Management
  • IBM Maximo Visual Inspection
  • IBM Message Service Client (XMS) for C/C++
  • IBM MobileFirst Platform Foundation
  • IBM Mono2Micro
  • IBM MQ Appliance
  • IBM MQ for HPE NonStop v8.1
  • IBM Netezza
  • IBM Netezza Analytics
  • IBM Netezza Analytics – NPS
  • IBM Netezza Fluid Query
  • IBM Netezza for Cloud Pak for Data System
  • IBM Netezza SQL Extensions
  • IBM Netezza SQL Extensions – NPS
  • IBM Network Advisor
  • IBM Now Factory Analytics
  • IBM Now Factory Sourceworks
  • IBM Operational Decision Manager on Cloud
  • IBM Optim pureQuery Runtime for Linux, Unix and Windows
  • IBM Order Management Software
  • IBM Packaging Utility
  • IBM Payments Director Transaction Services
  • IBM Planning Analytics 2.0 when using IBM Planning Analytics Workspace (PAW) 2.0.55 and lower – see security bulletin for later versions of PAW
  • IBM Platform RTM
  • IBM PowerHA System Mirror for i
  • IBM Prerequisite scanner
  • IBM Price Transparency
  • IBM Process Mining
  • IBM QRadar Incident Forensics
  • IBM QRadar Vulnerability Manager
  • IBM QRadar WinCollect
  • IBM Rational ClearCase
  • IBM Rational ClearQuest
  • IBM Rational Functional Tester
  • IBM Rational Integration Tester (including IBM Rational Test Virtualization Server, IBM Rational Performance Test Server, IBM Rational Test Control Panel, and IBM Rational Integration Tester Agent)
  • IBM Rational Rose
  • IBM Rational Service Tester
  • IBM Rational Software Architect Designer
  • IBM Rational Test RealTime
  • IBM Robotic Process Automation
  • IBM Robotic Process Automation with Automation Every where
  • IBM Safer Payments
  • IBM SDK for Node.js
  • IBM SDK, Java Technology Edition
  • IBM Security Access Manager & Verify Access Integrations
  • IBM Security Directory Server
  • IBM Security Directory Suite
  • IBM Security Guardium STAPs (Windows & Linux) and GIM clients
  • IBM Security Pinpoint Detect
  • IBM Security SiteProtector
  • IBM Security Trusteer Rapport
  • IBM Security Verify Bridge
  • IBM Security Verify Gateway for Linux PAM and AIX PAM
  • IBM Security Verify Gateway for Radius
  • IBM Security Verify Gateway for Windows Login
  • IBM Security Verify Privilege Account Lifecycle Manager
  • IBM Security Verify Privilege Behavior Analysis
  • IBM Security Verify Privilege DevOps Vault
  • IBM Security Verify Privilege Manager
  • IBM Security Verify Privilege Server Suite
  • IBM Security Verify Privilege Vault
  • IBM Security Verify Privilege Vault Remote
  • IBM SOA Policy Pattern for Red Hat Enterprise Linux Server 2.0
  • IBM Spectrum Accelerate
  • IBM Spectrum LSF Predictor
  • IBM Spectrum LSF Simulator
  • IBM Spectrum Protect HSM for Windows
  • IBM Spectrum Scale Transparent Cloud Tiering
  • IBM Spectrum Virtualize
  • IBM Sterling Connect:Direct Browser User Interface
  • IBM Sterling Connect:Direct for HP NonStop
  • IBM Sterling Connect:Direct for i5/OS
  • IBM Sterling Connect:Direct for OpenVMS
  • IBM Sterling Connect:Direct FTP+
  • IBM Sterling Connect:Express for Microsoft Windows
  • IBM Sterling Connect:Express for UNIX
  • IBM Sterling Order Management (on-prem)
  • IBM Sterling Transformation Extender Pack for Financial Payments
  • IBM Streams
  • IBM Suite License Service
  • IBM System Dashboard for Enterprise Content Management
  • IBM System Storage DS3950/DS5020/DS5100/DS5300 Refresh
  • IBM System Storage Storwize V7000 Unified (V7000U)
  • IBM Tivoli Composite Application Manager for Applications
  • IBM Tivoli Federated Identity Manager
  • IBM Tivoli Netcool Configuration Manager
  • IBM Tivoli Netcool Ominbus (a product, and also a component of IBM Netcool Operations Insight)
  • IBM Transformation Extender Advanced
  • IBM Transformation Extender Pack for SAP Applications
  • IBM Transformation Extender Pack for SWIFT
  • IBM Transformation Extender with Launcher Hypervisor Edition
  • IBM Treatment Cost Calculator
  • IBM Trusteer Mobile SDK
  • IBM Trusteer TMA (TrustBoard)
  • IBM Voice Agent with Watson
  • IBM Voice Gateway
  • IBM Watson Annotator for Clinical Data 
  • IBM Watson IoT Platform – Message Gateway
  • IBM WebSphere Application Server Developer Tools for Eclipse
  • IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter
  • IBM WebSphere Application Server Migration Toolkit
  • IBM WebSphere Message Broker Extender for TIBCO RV
  • IBM Workload Automation
  • IBM Workload Scheduler
  • IBM XIV Storage System
  • IBM® Netezza® Performance Server for IBM Cloud Pak® for Data
  • ICP4A-Business Automation Content Analyzer
  • Informix 4GL
  • Informix C-ISAM
  • Informix Client Software Development Kit
  • Informix Enterprise Gateway Manager
  • Informix ESQL/COBOL
  • Informix JDBC Driver/Embedded SQL
  • Infosphere Data Replication
  • InfoSphere Identity Insight
  • InfoSphere Optim Data Growth Solution
  • InfoSphere Optim Data Privacy for Unstructured Data
  • InfoSphere Optim Test Data Fabrication
  • InfoSphere QualityStage Address Verification Interface
  • ITCAM for Transactions – MQ DC
  • LTO Tape Drives
  • Maximo Archiving with InfoSphere Optim Data Growth Solution
  • Maximo Asset Management Scheduler
  • Maximo Calibration
  • Maximo EAM SaaS
  • Maximo for Life Sciences
  • Maximo Linear Asset Manager
  • Merge Cardio
  • Merge Hemo
  • Message Hub
  • MQ on IBM Cloud
  • OmniFind Text Search Server for DB2 for i
  • OPENBMC
  • Optim Data Growth Solution for JD Edwards EnterpriseOne
  • Optim Data Privacy Solution
  • Optim High Performance Unload for DB2 for Linux, UNIX and Windows
  • PCOMM (Personal Communications)
  • PL/1 for AIX
  • Platform License Scheduler
  • Platform Process Manager
  • Power firmware
  • PowerHA
  • PowerSC
  • PowerVC
  • PowerVM Hypervisor
  • PowerVM VIOS
  • PureData System for Analytics
  • QRadar Advisor
  • QRadar Incident Forensics
  • Qradar Network Threat Analytics
  • QRadar On Cloud (QRoC)
  • QRadar SIEM
  • QRadar Vulnerability Manager
  • QRadar WinCollect Agent
  • Quantum Services
  • Rational Application Developer
  • Rational Application Developer for WebSphere Software
  • Rational Asset Manager Enterprise Edition
  • Rational Business Developer (RBD)
  • Rational Change
  • Rational Developer for AIX and Linux
  • Rational Developer for i
  • Rational Software Application Designer
  • Rational Synergy
  • Reactive Platform
  • Remote Execution and Access
  • Robotic Process Automation
  • SAN Volume Controller and Storwize Family
  • Spectrum Archive Library Edition
  • Spectrum Discover
  • Spectrum Protect Client Management Service
  • Spectrum Protect for Databases: Data Protection for Oracle
  • Spectrum Protect for Databases: Data Protection for SQL
  • Spectrum Protect for Enterprise Resource Planning
  • Spectrum Protect for Mail: Data Protection for Domino
  • Spectrum Protect for Mail: Data Protection for Exchange
  • Spectrum Protect for Workstations
  • Spectrum Protect Plus Db2 Agent
  • Spectrum Protect Plus Exchange Agent
  • Spectrum Protect Plus File Systems Agent
  • Spectrum Protect Plus MongoDB Agent
  • Spectrum Protect Plus O365 Agent
  • Spectrum Protect Plus Oracle Agent
  • Spectrum Protect Plus SQL Agent
  • Spectrum Protect Server
  • Spectrum Protect Snapshot for UNIX
  • Sterling Gentran
  • Sterling Gentran:Server for Microsoft Windows
  • Sterling Order Management
  • Sterling Transformation Extender Pack for ACORD
  • Sterling Transformation Extender Pack for Financial Services
  • Sterling Transformation Extender Pack for FIX
  • Sterling Transformation Extender Pack for NACHA
  • Sterling Transformation Extender Pack for PeopleSoft
  • Sterling Transformation Extender Pack for SAP R/3
  • Sterling Transformation Extender Pack for SEPA
  • Sterling Transformation Extender Pack for Siebel
  • Sterling Transformation Extender Pack for SWIFT
  • Sterling Transformation Extender Packs for EDI
  • Sterling Transformation Extender Packs for Healthcare
  • Sterling Transformation Extender Trading Manager
  • Storage TS2900 Library
  • Storage TS3100-TS3200 Library
  • Storage TS4500 Library
  • Storage Virtualization Engine TS7700
  • Surveillance Insight for Financial Services Solution on Cloud (stand-alone) / (also part of) IBM Financial Crimes Insight)
  • Tape System Library Manager
  • Tivoli Application Dependency Discovery Manager
  • Tivoli Composite Application Manager for J2EE
  • Tivoli Composite Application Manager for Microsoft Applications
  • Tivoli Composite Application Manager for SOA
  • Tivoli Composite Application Manager for Transactions
  • Tivoli Composite Application Manager for WebSphere
  • Tivoli Directory Integrator
  • Tivoli Monitoring for Virtual Environments
  • Tivoli System Automation for Multiplatforms
  • Total Storage Service Console (TSSC) / TS4500 IMC
  • Transformation Extender Pack for Healthcare
  • Transformation Extender Pack for Supply Chain
  • Trusteer Mobile SDK
  • Trusteer Pinpoint Assure
  • Trusteer Pinpoint Detect
  • Trusteer Rapport
  • TS3310
  • TS3500
  • TS4300
  • Urbancode Deploy
  • Virtualization Management Interface
  • Visual Inspection Component
  • VM Recovery Manager
  • Weather Company Max Engage for Enterprise with Watson
  • Weather Company Max Solution
  • WebSphere Data Interchange
  • WebSphere eXtreme Scale
  • WebSphere Liberty
  • WebSphere Message Broker Connectivity Pack for Healthcare
  • WebSphere Message Broker File Extender
  • WebSphere Message Broker with Rules and Formatter Extension
  • WebSphere MQ for HP NonStop v5.3.1
  • WebSphere Transformation Extender for SEPA
  • WebSphere Transformation Extender Pack for PeopleSoft
  • WebSphere Transformation Extender Packs for ACORD
  • WebSphere Transformation Extender Packs for NACHA
  • Workload Automation
  • Workload Deployer Image for x86 Systems
  • Workstation APL2 for Multiplatforms
  • X-Force Red Offensive Security Services on Cloud
  • XIV Management Tools
  • XL C/C++ for AIX
  • XL C/C++ for Linux
  • XL Fortran for AIX
  • XL Fortran for Linux
  • 3592 Tape Drives

Additional IBM Z product information can be found in the IBM Z and LinuxOne Security Portal


Remediated Products

IBM as-a-Service Products

The following IBM as-a-Service products, including IBM Cloud Services, were impacted by Log4j 2.x CVE-2021-44228 and have since been remediated by IBM. For IBM Cloud Services updates on more recent Log4j 2.x vulnerabilities, refer to the IBM Cloud Security Bulletins page.

Clients who have deployed their own applications using IBM Cloud Kubernetes Service, Red Hat OpenShift, Cloud Foundry, Code Engine, Cloud Functions, or virtual and bare metal machines are responsible for remediating any Log4j vulnerabilities running on those services.

  • Analytics Engine – added Dec.16th
  • API Connect for IBM Cloud – added Dec.16th
  • App ID – added Dec.15th
  • Certificate Manager – added Dec.15th
  • Cloud Pak for Security (CP4S) SaaS  – added Jan. 5th
  • Cloud Object Storage – added Dec.15th
  • Cloud Object Storage (Classic) – added Dec.15th
  • Cloudant – added Dec.15th
  • Container Registry – added Dec.15th
  • Container Security Services – added Dec.15th
  • Continuous Delivery – added Dec.15th
  • DataStage SaaS – added Dec.16th
  • DB2 on Cloud – added Dec.16th
  • DB2 Warehouse on Cloud – added Dec.16th
  • DynaMed & Micromedex with Watson – added Dec. 21st
  • Hyper Protect DBaaS for MongoDB – added Dec.15th
  • Hyper Protect DBaaS for PostgreSQL – added Dec.15th
  • Hyper Protect Virtual Server – added Dec.15th
  • IBM Account Group Insights – added Dec. 22nd
  • IBM Benefits Mentor with Watson – added Dec. 27th
  • IBM Client Data Gateway for Health – added Dec. 27th
  • IBM Cloud Foundry Public – added Dec.16th
  • IBM DataProbe – added Dec. 27th
  • IBM Digital Health Pass – added Dec. 27th
  • IBM Explorys Platform with EPM – added Dec. 20th
  • IBM Explorys Therapeutic Datasets Delivered – added Dec. 20th
  • IBM Health Insights Dashboards – added Dec. 22nd
  • IBM Health Insights Explorer – added Dec. 23rd
  • IBM Health Insights Watson Change Detection – added Dec. 23rd
  • IBM Health Interoperability – added Dec. 27th
  • IBM MarketScan Inpatient View and Outpatient View – added Dec. 27th
  • IBM Micromedex Pharmaceutical Knowledge – added Dec. 21st
  • IBM Micromedex with Watson – added Dec. 21st
  • IBM Phytel Atmosphere – added Dec. 27th
  • IBM Return-to-Workplace Advisor – added Dec. 27th
  • IBM Security Verify – added Dec.17th
  • IBM Supply Chain Business Network – added Dec. 23rd
  • IBM Watson Care Manager – added Dec. 27th
  • Internet Services – added Dec.15th
  • J-SURS – added Dec. 27th
  • Knowledge Studio – added Dec.15th
  • MaaS360 SaaS  – added Jan. 5th
  • Watson Openscale – added Dec.16th
  • Managed VMware Service – added Dec.15th
  • Match 360 with Watson – added Dec.16th
  • Natural Language Understanding – added Dec.15th
  • VMware Solutions – added Dec.15th
  • VMware vCenter Server – added Dec.15th
  • VMware vSphere – added Dec.15th
  • vRealize Operations and Log Insight – added Dec.15th
  • Watson Assistant – added Dec.16th
  • Watson Discovery – added Dec.16th
  • Watson Knowledge Catalog – added Dec.16th
  • Watson Machine Learning – added Dec.16th
  • Watson Natural Language Classifier  – added Jan. 4th
  • Watson Openscale – added Dec.16th
  • Watson Query – added Dec. 20th
  • Watson Speech to Text   – added Dec.16th
  • Watson Studio – added Dec.16th
  • Watson Text to Speech – added Dec.16th
  • Watson Tone Analyzer – added Dec.16th

IBM On-Premise Products

Individual product security bulletins will be published for IBM products that have been determined to be susceptible to the Log4j 2.x vulnerabilities, with information on how to remediate the vulnerability. Subscribe to Security Bulletins to be notified of new product bulletins. Additional IBM Z product information can be found in the IBM Z and LinuxOne Security Portal.

If you are running an End of Life/End of Service product, we encourage you to upgrade your product as soon as possible. If you have a product that has a current service extension that includes new defect support and you cannot upgrade to a supported version immediately, please visit the appropriate portal for available fixes or open a support case via standard channels.

Individual product Security Bulletins have been published for the below products, which provide information on how to mitigate and/or remediate the Log4j 2.x vulnerabilities:

More stories

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from expat, Golang Go, gcc, openssl and libxml.

May 16, 2022 | Critical Severity

Multiple issues were identified in Red Hat UBI(ubi8/ubi-minimal) v8.5-x packages "expat", "gcc", "openssl", "libxml" and go-toolset v1.16.x that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. ...read more


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift

May 12, 2022 | Critical Severity

IBM Security Guardium has fixed these vulnerabilities by updating the Apache Thrift component. ...read more


Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-44142)

May 12, 2022 | Critical Severity

A Samba vulnerability affects IBM Spectrum Scale SMB protocol access method that could allow a remote authenticated attacker to execute arbitrary code on the system. ...read more