Critical Severity

Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105)

Share this post:

Apache Log4j open source library used by IBM® Db2® is affected by multiple vulnerabilities that could allow a remote attacker to execute arbitrary code on the system or cause a denial of service. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the Apache Log4j library to 2.17.0

CVE(s): CVE-2021-45105, CVE-2021-45046

Affected product(s) and affected version(s):

Fix pack levels of IBM Db2 V11.5 for all editions on all platforms are affected only if the following features are configured:

Federation:  

  •   DVM JDBC wrapper driver,
  •   NoSQL wrapper driver (for Hadoop),
  •   Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only)

 

IBM Db2 V9.7, V10.1, V10.5 and V11.1 are not affected.

 

To determine if Federation is enabled, issue the following:

       db2 get dbm cfg | grep FEDERATED

If a value of NO is returned, you are not vulnerable.

 

You can determine if you are using one of the affected wrappers by performing:

To determine if the DVM JDBC wrapper is in use, issue the following statement:

        db2 "select servername from syscat.serveroptions where option = 'DRIVER_CLASS' and setting = 'com.rs.jdbc.dv.DvDriver'"

        If a servername is returned, then you are using the DVM JDBC wrapper via the DvDriver class.

To determine if the NoSQL hadoop wrapper is in use, issue the following statement:

       db2 "select * from syscat.servers where servertype = 'HDFSPARQUET'" 

       If 1 or more rows are returned, then NoSQL hadoop wrapper is in use.

 

To determine if the NoSQL Blockchain wrapper is in use, issue the following statement:

       db2 "select * from syscat.serveroptions where option='PEER_URL'"

       If 1 or more rows are returned, then NoSQL Blockchain wrapper is in use.

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6528672
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195

More stories

Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Jan 21, 2022 7:01 pm EST | Critical Severity

There are multiple Apache Log4j (CVE-2021-45105, CVE-2021-45046) vulnerabilities impacting IBM InfoSphere Information Server which uses Apache Log4j for logging. The fix upgrades Apache Log4j to version 2.17.0. ...read more


Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105)

Jan 21, 2022 7:01 pm EST | Critical Severity

Apache Log4j is used by IBM Netcool Agile Service Manager as part of its logging infrastructure. The fix includes Apache Log4j v2.17.1. ...read more


Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0

Jan 21, 2022 7:00 pm EST | Critical Severity

Log4j is used by IBM Cloud Pak for Data System 1.0 in openshift-logging. This bulletin provides a remediation and mitigation for the reported Apache Log4j vulnerability, CVE-2021-44228. ...read more