About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Troubleshooting
Problem
The following security vulnerabilities are identified in Apache Log4j v1.x:
- CVE-2021-4104
- Apache Log4j v1.2 might allow a remote attacker to run arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker might use this vulnerability to run arbitrary code on the system.
- CVE-2022-23307
- An issue was found in the Apache Log4j v1.x chainsaw component, where the contents of certain log entries are deserialized and possibly allow code execution. This issue allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
- CVE-2022-23305
- An issue was found in the Java logging library Apache Log4j v1.x. JDBCAppender in Log4j v1.x is vulnerable to SQL injection in untrusted data. This issue allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
- CVE-2022-23302
- An issue was found in the Java logging library Apache Log4j v1.x. JMSSink in Log4j v1.x is vulnerable to deserialization of untrusted data. This issue allows a remote attacker to run code on the server if the deployed application is configured to use JMSSink and to the attacker's JNDI LDAP endpoint.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTU9C","label":"Jazz Reporting Service"},"ARM Category":[{"code":"a8m0z000000CbLqAAK","label":"Jazz Reporting Service-\u003EDCC"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2"}]
To view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use the link to actual document below to access the full document. You will be asked to log on if you are not already logged in. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
More support for:
Jazz Reporting Service
Component:
Jazz Reporting Service->DCC
Software version:
7.0.1, 7.0.2
Document number:
6601997
Modified date:
02 August 2022
UID
ibm16601997
Manage My Notification Subscriptions