IBM Support

Security Bulletin: Sterling Order Management and vulnerability in Apache Log4j2 Library (CVE-2021-44228)

News


Abstract

Is Sterling Order Management affected by CVE-2021-44228?

Content

IBM is aware of a recently surfaced vulnerability CVE-2021-44228 in Apache log4j 2.0 to 2.14.1 and determined that some of Sterling Order Management components are impacted. Following is a summary of impacted OMS Components and associated mitigation plan.
Components
Current log4j Version
Impacted by CVE-2021-44228 ?
Mitigation Plan
Status
Sterling Order Management SaaS, On-prem and Certified Containers (including Store Engagement & Call Center)
v1.x
No (The current version in use is not impacted)
As a part of the standard stack upkeep policy, IBM will upgrade the log4j version to V2.17.0 (or higher) by 1H 2022.
NOTE: The latest Fix Pack will be required to obtain this upgrade.
Inventory Visibility
Microservice 
V2.14.0 
Yes
Upgrade to V2.15.0
Production Push completed on Dec 13th, 2021.
Promising
Microservice
V2.13.3
Yes
Upgrade to V2.15.0
Production Push completed on Dec 13th, 2021.
OMS Data Exchange Service
V2.11.1
Yes
Upgrade to V2.15.0
Production Push completed on Dec 13th, 2021.
Store Inventory Management
Microservice
V2.13.1
Yes
Upgrade to V2.15.0
Production Push completed on Dec 14th, 2021.
Order Hub
V2.13.1
Yes
Upgrade to V2.15.0
Production Push completed on Dec 14th, 2021.
Sterling Fulfillment Optimizer ( SFO)
V2.14.0
Yes
Upgrade to V2.15.0
Production Push completed on Dec 14th, 2021.
CPQ: Omni- Configurator and VM
v2.14.0 (v10)
v1.x (v9.5)
v10 - Yes
v9.5 - No
Upgrade to V2.15.0
VMOC FP23 released on Dec 15th, 2021
CPQ: Field Sales Application
v1.x
No (The current version in use is not impacted)
As a part of the standard stack upkeep policy, IBM will upgrade the log4j version to V2.17.0 (or higher) by 1H 2022.
NOTE: The latest Fix Pack will be required to obtain this upgrade.
Note:
1. For any underlying software/middleware used in your implementation, please work with the respective vendors to understand the impact and next steps.
2. Log4j v2.15 sets log4j2.formatMsgNoLookups to true by default and thereby resolves CVE-2021-44228 completely.
Log4j has released version v2.16, which contains 2 additional improvements on top of v2.15 changes.
      (1) disables JNDI by default
      (2) removes support for Lookups in messages. 

IBM will upgrade all impacted components which are currently on Log4j v2.15 (refer above) to Log4j v2.16 (or higher) in Jan, 2022.

[{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PEW","label":"Sterling Order Management"},"ARM Category":[{"code":"a8m0z000000cy00AAA","label":"Orders"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 January 2022

UID

ibm16525544