Flashes (Alerts)
Abstract
I am using Operational Decision Manager. What is impact of CVE-2021-44228 on Operational Decision Manager v8.9.x, v8.10.x or v8.11?
Content
Answer:
CVE-2021-44228 issue is reported when
- The web application you log to is using the Log4j, with version 2.0 to 2.14.1
- The library log4j-api-core.jar does include JdniLookup.class
ODM V8.10.3 and earlier (All components):
ODM for all version v8.9 and earlier until v8.10.3 embed log4j 1.x.
As log4j 1.x does not offer a look-up mechanism, ODM before 8.10.3 does not suffer from CVE-2021-44228
ODM V8.10.4 and later (All components):
ODM on Containers:
ODM on Cloud:
Only Rule Designer includes log4j 2.x
As it's a client application, the vulnerability occurrence and impact are low. We have released an interim fix for ODM 8.10.5.1 and 8.11 for Rule Designer.
In the meantime, you can enable the following mitigation:
Add the following line at the end of the eclipse.ini:
-Dlog4j2.formatMsgNoLookup=true
Note:
The local Knowledge Center server for documentation can suffer from this vulnerability.
If the local Knowledge Center server is installed either following this documentation or as part of ODM installation
Please apply the following mitigation:
- Uninstall the local documentation using Installation Manager.
- Edit jvm.options under <ODM_install>/doc/server/wlp/usr/servers/kc/
Add the line:
-Dlog4j2.formatMsgNoLookup=true
Conclusion:
Operational Decision Manager v8.9.x, v8.10.x and v8.11 do not suffer from CVE-2021-44228.
For WebSphere Application Server follow this security bulletin.
For WebSphere Application Server follow this security bulletin.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"ARM Category":[{"code":"a8m50000000L36nAAC","label":"Decision Center"},{"code":"a8m50000000CcsOAAS","label":"Decision Server"},{"code":"a8m50000000CcsxAAC","label":"Decision Server Insights"},{"code":"a8m3p000000GnyMAAS","label":"ODM on Kubernetes"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.10.0;8.10.1;8.10.2;8.10.3;8.10.4;8.10.5;8.11.0;8.7.1;8.8.1;8.9.0;8.9.1;8.9.2"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7J8H","label":"IBM Operational Decision Manager on Cloud"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
12 January 2022
UID
ibm16525696