Critical Severity

Security Bulletin: IBM Security Identity Manager Virtual Appliance is vulnerable to arbitrary code execution due to Apache Log4j and other issues (CVE-2021-4104, CVE-2021-45046, CVE-2021-38951)

Share this post:

IBM Security Identity Manager Virtual Appliance (ISIM VA) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4101 and CVE-2021-45046. Apache Log4j is used by ISIM VA as part of its logging infrastructure. This fix upgrades to Apache Log4j v2.17.1. IBM Security Identity Manager Virtual Appliance (ISIM VA) has also upgraded the other vulnerable components listed below.

CVE(s): CVE-2021-38951, CVE-2021-4104, CVE-2021-45046

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
ISIM VA 7.0.2
ISIM VA 7.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6612331
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/211405
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195

More stories

Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]

October 5, 2022 | Critical Severity

IBM Cloud Pak for Business Automation is affected but not classified as vulnerable to a remote code execution in Spring Framework as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Parts of the Spring framework is used in multiple components of Cloud Pak for Business Automation to perform transaction management, database access or processing of web request. The fix includes Spring V5.3.20 and later and removes Spring from some product components. [CVE-2022-22965] ...read more


Security Bulletin: IBM HTTP Server is vulnerable to arbitrary code execution due to Expat (CVE-2022-40674)

October 5, 2022 | Critical Severity

IBM HTTP Server used by IBM WebSphere Application Server is vulnerable to arbitrary code execution due to Expat. The Expat library is used by IBM HTTP Server's WebDAV (mod_dav) support, but may also be used by third-party Apache HTTP Server modules if they have been loaded into the server by the administrator. This has been addressed. [CVE-2022-40674] ...read more


Security Bulletin: IBM Tivoli Monitoring is vulnerable to remote code execution [CVE-2022-40674]

October 4, 2022 | Critical Severity

The libexpart parser that is used by IBM Tivoli Monitoring for parsing various configuration xml files and parsing soap requests is potentially vulnerable to remote code execution [CVE-2022-40674]. ...read more