Direct links to fixes
workflow.21031.delta.repository
8.6.20020002-WS-BPMPFS-IFJR64565
21.0.2-WS-CP4BA-IF007
21.0.3-WS-CP4BA-IF002
20.0.3-WS-CP4A-IF011
20.0.3-WS-CP4A-IF012
8.5.7.201706-WS-BPMPFS-IFJR64435
8.6.30021030-WS-BPMPFS-IFJR64435
8.6.20021020-WS-BPMPFS-IFJR64435
8.6.10019003-WS-BPMPFS-IFJR64435
8.6.20020002-WS-BPMPFS-IFJR64435
8.6.0.201803-WS-BPMPFS-IFJR64435
APAR status
Closed as program error.
Error description
Vulnerabilities have been found in the Apache Log4j library: - CVE-2021-4104: A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker. - CVE-2021-45046: A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments. PRODUCTS AFFECTED IBM Business Automation Workflow IBM Business Process Manager
Local fix
Problem summary
No additional information is available.
Problem conclusion
A fix is available or will be available that ensure that Process Federation Server is using a version of log4j that is not vulnerable to CVE-2021-4104 AND CVE-2021-45046.
Temporary fix
Not applicable.
Comments
APAR Information
APAR number
JR64435
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-12-21
Closed date
2022-01-07
Last modified date
2022-01-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.2","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
24 August 2022