Fixes are available
PH42728 Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)
PH42762 Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-4104 CVSS 8.1, CVE-2021-45046 CVSS 9.0)
PH43148:IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
APAR status
Closed as program error.
Error description
Update the version of log4j contained in the installable UDDI.ear application
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere Application Server users of UDDI * **************************************************************** * PROBLEM DESCRIPTION: Update the version of Log4j included * * in the optionally installable * * uddi.ear application. * **************************************************************** * RECOMMENDATION: * **************************************************************** The optionally installable application, uddi.ear, contains an old version of Log4j, 1.2.8, that is no longer supported.
Problem conclusion
The version of Log4j shipped in the optionally installable uddi.ear application has been updated to versions 2.12.1, in WebSphere Application Server version 8.5.5, and 2.14.1, in WebSphere Application Server version 9. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH37034
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-05-07
Closed date
2021-06-08
Last modified date
2021-06-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 May 2022