Critical Severity

Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Transformation Extender (CVE-2021-44228)

Share this post:

IBM Sterling Transformation Extender is impacted by Log4j2 security vulnerability, CVE-2021-44288, where an attacker can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Mitigation steps are posted below while final fix images are pending.

CVE(s): CVE-2021-44228

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Sterling Transformation Extender  10.0.3.0
IBM Sterling Transformation Extender 10.1.0.0, 10.1.0.1
IBM Sterling Transformation Extender 10.1.1.0

 

NOT Applicable Releases:

This security vulnerability is NOT applicable for the following releases of the product and all associated Industry and Enterprise Packs:

  • WebSphere Transformation Extender 8.4.1.x (where x = { 0 | 1 | 2 | 3 | 4 | 5 })
  • IBM Transformation Extender 9.0.0.x (where x = { 0 | 1 | 2 | 3 | 4 })
  • IBM Transformation Extender 10.0.0.0

Also, not applicable to the following certified container releases:

  • IBM Sterling Transformation Extender Certified Containers 10.0.0
  • IBM Sterling Transformation Extender Certified Containers 10.0.1.x (where x = { 0 | 1 | 2 })
  • IBM Sterling Transformation Extender Runtime Server 10.0.3

NOTE: Applicable to environments where Design Server and Runtime REST API server are used to design and run maps and flows in the environment. All other design and runtime environments are not affected. In other words, Design Studio, Command Server, Launcher, RMI Server and API environments are not affected by this security vulnerability.

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6526646
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921

More stories

Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Jan 21, 2022 7:01 pm EST | Critical Severity

There are multiple Apache Log4j (CVE-2021-45105, CVE-2021-45046) vulnerabilities impacting IBM InfoSphere Information Server which uses Apache Log4j for logging. The fix upgrades Apache Log4j to version 2.17.0. ...read more


Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105)

Jan 21, 2022 7:01 pm EST | Critical Severity

Apache Log4j is used by IBM Netcool Agile Service Manager as part of its logging infrastructure. The fix includes Apache Log4j v2.17.1. ...read more


Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0

Jan 21, 2022 7:00 pm EST | Critical Severity

Log4j is used by IBM Cloud Pak for Data System 1.0 in openshift-logging. This bulletin provides a remediation and mitigation for the reported Apache Log4j vulnerability, CVE-2021-44228. ...read more