IBM Support

IBM Engineering Report Builder: Logging library upgrade to Apache Log4j version 2.17.1 to address security vulnerabilities

Troubleshooting


Problem

The following security vulnerabilities are identified in Apache Log4j v1.x: 
  • CVE-2021-4104
    • Apache Log4j v1.2 might allow a remote attacker to run arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker might use this vulnerability to run arbitrary code on the system.
  • CVE-2022-23307
    • An issue was found in the Apache Log4j v1.x chainsaw component, where the contents of certain log entries are deserialized and possibly allow code execution. This issue allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
  • CVE-2022-23305
    • An issue was found in the Java logging library Apache Log4j v1.x. JDBCAppender in Log4j v1.x is vulnerable to SQL injection in untrusted data. This issue allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
  • CVE-2022-23302
    • An issue was found in the Java logging library Apache Log4j v1.x. JMSSink in Log4j v1.x is vulnerable to deserialization of untrusted data. This issue allows a remote attacker to run code on the server if the deployed application is configured to use JMSSink and to the attacker's JNDI LDAP endpoint.

Document Location

Worldwide


[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTU9C","label":"Jazz Reporting Service"},"ARM Category":[{"code":"a8m0z000000CbLvAAK","label":"Jazz Reporting Service-\u003EReport Builder"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

To view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use the link to actual document below to access the full document. You will be asked to log on if you are not already logged in. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

link to actual document

Document Information

More support for:
Jazz Reporting Service

Component:
Jazz Reporting Service->Report Builder

Software version:
All Versions

Document number:
6601289

Modified date:
20 July 2023

UID

ibm16601289

Manage My Notification Subscriptions

Page Feedback