IBM Support

PH42728 Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

Download


Downloadable File

Abstract

Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

Download Description

PH42728 resolves the following problem:

ERROR DESCRIPTION:
Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

PROBLEM SUMMARY:
Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

PROBLEM CONCLUSION:
CVE-2021-44228 was remediated.
Note for WebSphere Application Server 8.5.5 only: In this release, the UDDI.ear resolves the vulnerability by removing the JNDILookup class/function from the included copy of log4j version 2.

The fix for this APAR is currently targeted for inclusion in fix packs 8.5.5.21, 9.0.5.11.
For more information, see 'Recommended Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Note: WebSphere Application Server 7.0 and 8.0 reached End of Support on April 30, 2018 and the embedded IBM Java SDK is no longer receiving security updates. Current information is that the version of log4j included in WebSphere Application Server 7.0 and 8.0 is not impacted by CVE-2021-44228. IBM recommends all users running 7.0 and 8.0 upgrade to 8.5.5, 9.0 or WebSphere Liberty.

For advice on responding to CVE-2021-44228 for users of WebSphere Application Server traditional or Liberty, see  https://www.ibm.com/support/pages/node/6525860
This fix supersedes (includes) the fix for PH37034
Important Note: This fix is superseded by: PH42762

Prerequisites

None

Installation Instructions

CRITICAL: Review the readme.txt for detailed installation instructions. This interim fix has special requirements.
 

URL SIZE(Bytes)
V85 readme 2458
V90 readme 2600

Download Package

Important Note: This fix is superseded by: PH42762
IMPORTANT NOTE:
WebSphere Application Server fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table. 
DOWNLOAD RELEASE DATE SIZE(Bytes) APPLICABLE FIX PACKS

DOWNLOAD Options

What is Fix Central(FC)?

9.0.5.3-WS-WASProd-IFPH42728 12 December 2021 11345798 9.0.5.3 through 9.0.5.10 FC
8.5.5.11-WS-WASProd-IFPH42728 12 December 2021 9020471 8.5.5.11 through 8.5.5.20 FC

Problems Solved

PH42728, PH37034

On

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"}],"Version":"8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;8.5.5.20;9.0.5.10;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7;9.0.5.8;9.0.5.9","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
02 March 2022

UID

ibm16525672