JR64435: SECURITY APAR - CVE-2021-4104 AND CVE-2021-45046 IN PROCESS FEDERATION SERVER

workflow.21031.delta.repository
8.6.20020002-WS-BPMPFS-IFJR64565
21.0.2-WS-CP4BA-IF007
21.0.3-WS-CP4BA-IF002
20.0.3-WS-CP4A-IF011
20.0.3-WS-CP4A-IF012
8.5.7.201706-WS-BPMPFS-IFJR64435
8.6.30021030-WS-BPMPFS-IFJR64435
8.6.20021020-WS-BPMPFS-IFJR64435
8.6.10019003-WS-BPMPFS-IFJR64435
8.6.20020002-WS-BPMPFS-IFJR64435
8.6.0.201803-WS-BPMPFS-IFJR64435

APAR status

• Closed as program error.

Error description

• Vulnerabilities have been found in the Apache Log4j library:
  
  - CVE-2021-4104:
  A flaw was found in the Java logging library Apache Log4j in
  version 1.x. JMSAppender in Log4j 1.x is vulnerable to
  deserialization of untrusted data. This allows a remote attacker
   to execute code on the server if the deployed application is
  configured to use JMSAppender and to the attacker's JMS Broker.
  
  - CVE-2021-45046:
  A flaw was found in the Apache Log4j logging library in versions
   from 2.0.0 and before 2.16.0. A remote attacker with control
  over Thread Context Map (MDC) input data could craft malicious
  input using a JNDI Lookup pattern resulting in remote code
  execution (RCE) in a limited number of environments.
  
  PRODUCTS AFFECTED
  IBM Business Automation Workflow
  IBM Business Process Manager
  

Local fix

Problem summary

• No additional information is available.
  

Problem conclusion

• A fix is available or will be available that ensure that Process
   Federation Server is using a version of log4j that is not
  vulnerable to CVE-2021-4104 AND CVE-2021-45046.
  

Temporary fix

• Not applicable.
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUS AUTO WORKFL

• Fixed component ID

  5737H4100

Applicable component levels