Critical Severity

Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)

January 25, 2022

Categorized: Critical Severity

Share this post:

There are multiple vulnerabilities in Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307) as described in the vulnerability details section. Apache Log4j v1 is used by Db2 Web Query for i for generating logs and diagnostic traces in some of its components. IBM has addressed the vulnerability in Db2 Web Query for i by upgrading to Apache Log4j 2.17.

CVE(s): CVE-2022-23307, CVE-2022-23305, CVE-2022-23302, CVE-2021-4104

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Db2 Web Query for i 2.2.0

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6550822
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048


Previous Post

Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468)

Next Post

Security Bulletin: IBM Observability by Instana and IBM Observability with Instana - Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)
More stories

Security Bulletin: Multiple Vulnerabilities in jackson-databind shipped with IBM Cloud Pak System

August 12, 2022 | Critical Severity

Vulnerabilities identified in jackson-databind shipped with IBM Cloud Pak System. IBM Clous Pak System addresssed vulnerabilities. ...read more

Security Bulletin: Vulnerability in Apache Log4j affects IBM InfoSphere Master Data Management (CVE-2021-44228 )

August 12, 2022 | Critical Severity

There is a vulnerability in the Apache Log4j open source library used by IBM InfoSphere Master Data Management v11.6 and v12.0. ...read more

Security Bulletin: IBM Security Identity Manager Virtual Appliance is vulnerable to arbitrary code execution due to Apache Log4j and other issues (CVE-2021-4104, CVE-2021-45046, CVE-2021-38951)

August 12, 2022 | Critical Severity

IBM Security Identity Manager Virtual Appliance (ISIM VA) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4101 and CVE-2021-45046. Apache Log4j is used by ISIM VA as part of its logging infrastructure. This fix upgrades to Apache Log4j v2.17.1. IBM Security Identity Manager Virtual Appliance (ISIM VA) has also upgraded the other vulnerable components listed below. ...read more