IBM Support

Apache Log4j remote code execution vulnerability - Log4Shell

Troubleshooting


Problem

CVE-2021-44228

The IBM Chief Information Security Office (CISO) has declared an override for recently published Apache Log4j remote code execution vulnerability CVE-2021-44228. The override due date for installing vendor-provided security updates is December 14, 2021. For more information, see An update on the Apache Log4j CVE-2021-44228 vulnerability.

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in the Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.

CVE-2021-45105

Apache Log4j 2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that terminates the process. This is also known as a Denial-of-Service (DoS) attack.

CVE-2021-44832

Apache Log4j 2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Apache Log4j version 2.17.1, Apache Log4j version 2.12.4, and Apache Log4j version 2.3.2.

Symptom

Any Log4j version before v2.17.1 is affected.
InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.6 release and IBM Product Master 12.0 and later releases use Log4j extensively to print messages hence the users are impacted by this vulnerability.
Following are the Apache log4j versions that are used in IBM Product Master or InfoSphere® Master Data Management Collaboration Server - Collaborative Edition releases.
Product version Log4j version
 InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.5 fix packs (all) 1.2.17
 InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.6 Fix Pack 16 and earlier 1.2.17
InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.6 Fix Pack 16 and later 2.12.1
IBM Product Master 12.x 2.13.2

Cause

CVE-2021-44228
The CVE-2021-44228 vulnerability impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly through the project's GitHub on December 9, 2021. The vulnerability could allow a remote attacker to run arbitrary code on the system, caused by a flaw in the Java logging library. By sending a specially crafted string value, an attacker might use this vulnerability to run arbitrary code on the system. Proof-of-concept code is widely available for this vulnerability and exploitation might result in full system control.

Resolving The Problem

IBM Product Master is upgrading to Apache Log4j 2.17.1 version in an upcoming release.
For earlier releases, implement the following suggestion by the Apache logging site to mitigate the current threat. 
  1. Upgrade to the latest version of Apache Log4j (2.17.1 and later) as soon as possible. The security update is available from the Apache Logging Services website. 
  2. For version 2.14.x and lower - The log4j2.formatMsgNoLookups defaults to false, which needs to be set to true in the Java Virtual Machine (JVM) as -Dlog4j2.formatMsgNoLookups=true or set the value of the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true
  3. For CVE-2021-45105 and CVE-2021-45046
    IBM Product Master does not use a non-default Pattern Layout with a Context Lookup and does not enable JMS Appender so is not impacted by CVE-2021-45105 and CVE-2021-45046.
  4. For CVE-2021-44832
    IBM Product Master does not use JDBC Appender so is not impacted by CVE-2021-44832.
Note:
  • If you are using noncontainerized deployment using IBM WebSphere Application Server,
  • If you are using containerized deployment using IBM WebSphere® Liberty, 
    • Edit following ConfigMap and set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable.  
      1. Edit the ConfigMap by using the following command.
        oc edit configmap productmaster-<service>-configmap
        Where configmap is,
        productmaster-admin-configmap                                   
        productmaster-elasticsearch-configmap                             
        productmaster-fts-indexer-configmap                              
        productmaster-fts-pim-configmap                                  
        productmaster-gds-configmap                                      
        productmaster-ml-configmap                                       
        productmaster-personaui-configmap                                
        productmaster-restapi-configmap                                   
        productmaster-sch-configmap                                      
        productmaster-wfl-configmap
      2. Restart all the pods.
Note:
  • Above mitigation does not mitigate CVE-2021-45046 specific vulnerability. For more information, see Log4j – Apache Log4j Security Vulnerabilities.
  • InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.5 users who are on Java 7 should upgrade to release log4j version 2.12.2 when it becomes available.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSXYUC","label":"IBM Product Master Modernization"},"ARM Category":[{"code":"a8m0z000000GoylAAC","label":"Troubleshooting"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS2U2U","label":"InfoSphere Master Data Management Collaboration Server"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
12 January 2022

UID

ibm16526142