Question & Answer
Question
Cause
Answer
Important: This document was created proactively due to the high severity of the recently announced security vulnerability: CVE-2021-44228 (called Log4Shell or LogJam). The standard way to obtain information about all announced vulnerabilities (including CVE-2021-4104, CVE-2021-45046 and CVE-2021-45105) in License Metric Tool and how to mitigate them is to subscribe to My Notifications. All verified security vulnerabilities found in License Metric Tool (including those coming from libraries like Log4j) are announced in Security Bulletins sent via this communication channel. If, after the verification, it turns out that License Metric Tool is not affected by a given vulnerability, Security Bulletin is not issued.
Concerning CVE-2021-44228, License Metric Tool is affected. See the details below.
Concerning CVE-2021-4104, License Metric Tool is not affected as it is not using JMSAppender.
Concerning CVE-2021-45046, License Metric Tool is not affected as it is not using affected patterns in Pattern Layout.
Concerning CVE-2021-45105, License Metric Tool is not affected as it is not using affected patterns in Pattern Layout.
CVE-2021-44228 vulnerability details in License Metric Tool
Affected components:
- VM Manager Tool in versions 9.2.21.0 - 9.2.25.0 (all deployment types)
Not affected components:
- License Metric Tool server in version 9.2.21.0 or later does not contain Log4j library at all
- License Metric Tool server in versions below 9.2.21.0 contains Log4j library in version 1.x
- VM Manager Tool in versions below 9.2.21.0 contains Log4j library in version 1.x
Notice: Log4j in version 1.x is vulnerable to Remote Code Execution (RCE) attacks other than the one reported under CVE-2021-44228. For more information, see: Apache Log4j Security Vulnerabilities.
Regarding Db2 Security Bulletin: https://www.ibm.com/support/pages/node/6526462, IBM Db2 installed and configured with default settings (as it is done, for example, by the License Metric Tool All-in-One installer) does not enable Db2 Federation feature. Thus, it is not affected by the CVE-2021-44228 vulnerability.
The official fix is delivered in License Metric Tool 9.2.26.0. Upgrade License Metric Tool to version 9.2.26.0 to remove Log4j 1.x library from the server. Upgrade the VM Manager Tool to version 9.2.26.0 as it is a sufficient and preferred way to mitigate the Log4j library CVE-2021-44228 vulnerability. Depending on your configuration, the VM Manager Tool can be installed in a different place by using a different deployment scenario. For more information, see: VM Manager Tool deployment types and flow of data.
If you are using License Metric Tool with BigFix, use the fixlet to upgrade to application update 9.2.26. If you are using License Metric Tool with Ansible or Lite, write an email to talk2sam@us.ibm.com to obtain the appropriate server installer. For more information, see: Upgrading to the latest version and Upgrading the VM Manager Tool.
For VM Manager Tool in versions 9.2.21.0 - 9.2.25.0, if for some reason you are unable to use the official fix provided, use one of the following workarounds.
Workaround 1. Manually upgrade the Log4j library included in VM Manager Tool in versions 9.2.21.0 - 9.2.25.0 to version 2.17.0 (version 2.15.0 is also sufficient to mitigate CVE-2021-44228 vulnerability and VM Manager Tool is not affected by CVE-2021-4104 nor CVE-2021-45046 vulnerabilities)
- Download the Log4j library package in version 2.17.0 from this page: https://archive.apache.org/dist/logging/log4j/2.17.0/ and extract them.
- Copy the following files to the <VM_Manager_Tool_home_dir>/lib/ directory.
- log4j-api-2.17.0.jar
- log4j-core-2.17.0.jar
- Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
- Remove the following JAR files from the <VM_Manager_Tool_home_dir>/lib/ directory.
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- Depending on your operating system, modify one of the following files.
- LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following lines:
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.13.3.jar
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.13.3.jar
Change them to:
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.17.0.jar
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.17.0.jar - WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, find the following lines:
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.13.3.jar
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.13.3.jar
Change them to:
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.17.0.jar
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.17.0.jar
- LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following lines:
- For Local VM Manager Tool restart IBM License Metric Tool to start VM Manager Tool (Stopping the server / Starting the server).
For other deployment types start the VM Manager Tool by using -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
Workaround 2. Mitigate the issue on the current version of the Log4j library included in VM Manager Tool in versions 9.2.21.0 - 9.2.25.0 by the configuration change (this change is sufficient to mitigate CVE-2021-44228 vulnerability and VM Manager Tool is not affected by CVE-2021-4104 nor CVE-2021-45046 vulnerabilities)
- Depending on your operating system, run one of the following:
- LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following line. It might not contain all the parameters starting with -D string, for example, it might not contain the -Dsun.net.http.allowRestrictedHeaders=true substring.
VMM_PROPERTIES_DEFS="-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true"
Add the following text at the end of the found line, just before the double quotation mark that ends this line.
“ -Dlog4j2.formatMsgNoLookups=true” (including the space character at the beginning of the text)
For example:
VMM_PROPERTIES_DEFS="-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true -Dlog4j2.formatMsgNoLookups=true" - WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, add the following entry as the last line of the ####### PROPERTIES DEFINITONS ####### section:
SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dlog4j2.formatMsgNoLookups=true
- LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following line. It might not contain all the parameters starting with -D string, for example, it might not contain the -Dsun.net.http.allowRestrictedHeaders=true substring.
- Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
- For Local VM Manager Tool restart IBM License Metric Tool to start VM Manager Tool (Stopping the server / Starting the server).
For other deployment types start the VM Manager Tool by using -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
Related Information
Was this topic helpful?
Document Information
Modified date:
27 December 2021
UID
ibm16525762