IBM Support

Is IBM Workload Scheduler susceptible to the CVE-2021-44228 (LOG4J) vulnerability?

Question & Answer


Question

Security vulnerabilities have been recently identified regarding Apache log4j version 2. One of them is very critical, known as CVE-2021-44228. 
Other vulnerabilities are CVE-2021-45105, CVE-2021-45046. One vulnerability, CVE-2021-4104, affects Apache log4j version 1.
 
Is IBM Workload Scheduler susceptible to these vulnerabilities?

Answer

IBM Workload Scheduler 9.5
The only version of IWS that installs a vulnerable version of log4j v2 is 9.5.0.5 (vulnerable to CVE-2021-45105). A security bulletin has been published:

The suggested remediation for CVE-2021-45105 is to manually delete the file log4j-core-2.16.0.jar from the locations that are mentioned in the security bulletin.
IWS 9.5.0.0 to 9.5.0.4 installs Log4j v1 (log4j-1.2.17*.jar) that is not vulnerable to CVE-2021-44228, CVE-2021-45105, CVE-2021-45046. Also it is not affected by CVE-2021-4104, since the vulnerable configuration is not in place.
Apache log4j version 1 has been removed from IWS 9.5.0.5 fresh installation since it was not used at all. After upgrade to 9.5.0.5 from previous versions, a couple of  log4j version 1 jar files are still present. They can be manually removed (since not used) from TDWB/lib and TWS/TDWB_CLI/lib folders (apar IJ36998 has been opened for this issue and is targeted for 9.5.0.6).
The same version of log4j jar file is also included in cognos plugin (com.ibm.scheduling.agent.cognos_9.5) and web services plugin (com.ibm.scheduling.agent.ws_9.5).
It means that copies of log4j-1.2.17*.jar can be found in <data dir>/stdlist/appserver/engineServer/workarea i.e. in Liberty cache and in JavaExt/eclipse/configuration i.e. in plugin cache folder.
It is necessary to update to tha latest version the two mentioned plugins to avoid that copies of log4j-1.2.17*.jar are created again.
Liberty is also not vulnerable to the mentioned CVEs (the zosConnect features, that are vulnerable, are not installed in IWS deployment).
   
IBM Workload Scheduler 9.4 and 9.3
IWS 9.4 and 9.3 install Log4j v1 that is not vulnerable to CVE-2021-44228, CVE-2021-45105, CVE-2021-45046. Also it is not affected by CVE-2021-4104, since the vulnerable configuration is not in place.
IBM Workload Scheduler 9.4 and 9.3 are impacted because WebSphere, shipped as component of IWS, is affected by log4j vulnerabilities.
Here the security bulletins issued for IWS
https://www.ibm.com/support/pages/node/6536660
When patching WebSphere consider that IBM Workload Scheduler 9.4 requires Java 8 version and IBM Workload Scheduler 9.3 requires Java 7. 
Follow the instructions in https://www.ibm.com/support/pages/node/6536660 to patch WebSphere and IBM Jazz for Service Management.
Consider that the following procedure is suggested to update WebSphere and JazzSM components:
 
- update WebSphere to version 8.5.5.18
- update DASH at 3.1.3.10
- apply WAS iFix “8.5.5.11-ws-wasprod-IFPH42728” 
- apply JazzSM iFix “1.1.3.13-TIV-JazzSM-DASH-iFix-0001”
We have also verified that 9.4 instances still work fine without log4j v1 jar files so it is possible to manually delete them. These are the ones we removed in our tests:
<TWA home>/WAS/TWSProfile/installedApps/TWSNodeCell/TWSEngineModel.ear/CLIModelWeb.war/WEB-INF/lib/log4j-1.2.8.jar
<TWA home>/WAS/TWSProfile/installedApps/TWSNodeCell/TWSEngineModel.ear/TWSdRESTWeb.war/WEB-INF/lib/log4j-1.2.15.jar
As in 9.5 instances it may happen that copies of the log4j v1 jar files are present in JavaExt/eclipse/configuration directory, the cache folder for plugins. As already described, in this case it is necessary to move to 9.4.0.7 version and update cognos plugin and web services plugin.
 

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"ARM Category":[{"code":"a8m50000000Kz7rAAC","label":"Security-\u003EVulnerability"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

TWS;IWS;IWA

Document Information

Modified date:
26 January 2022

UID

ibm16525850