IBM Support

Is Operational Decision Manager v8.9.x, v8.10.x or v8.11 affected by CVE-2021-44228?

Flashes (Alerts)


Abstract

I am using Operational Decision Manager. What is impact of CVE-2021-44228 on Operational Decision Manager v8.9.x, v8.10.x or v8.11?

Content

Answer: 
CVE-2021-44228 issue is reported when
  • The web application you log to is using the Log4j, with version 2.0 to 2.14.1
  • The library log4j-api-core.jar does include JdniLookup.class

ODM V8.10.3 and earlier (All components):

ODM for all version v8.9 and earlier until v8.10.3 embed log4j 1.x.
As log4j 1.x does not offer a look-up mechanism, ODM before 8.10.3  does not suffer from CVE-2021-44228

ODM V8.10.4 and later (All components):
ODM on Containers:
ODM on Cloud:
Only Rule Designer includes log4j 2.x
 
As it's a client application, the vulnerability occurrence and impact are low. We have released an interim fix for ODM 8.10.5.1 and 8.11 for Rule Designer. 
In the meantime, you can enable the following mitigation:
Add the following line at the end of the eclipse.ini: 
-Dlog4j2.formatMsgNoLookup=true
Note:
The local Knowledge Center server for documentation can suffer from this vulnerability.
If the local Knowledge Center server is installed either following this documentation or as part of ODM installation
Please apply the following mitigation: 
- Uninstall the local documentation using Installation Manager.
- Edit jvm.options under <ODM_install>/doc/server/wlp/usr/servers/kc/
Add the line:
-Dlog4j2.formatMsgNoLookup=true
 Conclusion:
Operational Decision Manager v8.9.x, v8.10.x and v8.11 do not suffer from CVE-2021-44228. 
For WebSphere Application Server follow this security bulletin.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"ARM Category":[{"code":"a8m50000000L36nAAC","label":"Decision Center"},{"code":"a8m50000000CcsOAAS","label":"Decision Server"},{"code":"a8m50000000CcsxAAC","label":"Decision Server Insights"},{"code":"a8m3p000000GnyMAAS","label":"ODM on Kubernetes"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.10.0;8.10.1;8.10.2;8.10.3;8.10.4;8.10.5;8.11.0;8.7.1;8.8.1;8.9.0;8.9.1;8.9.2"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7J8H","label":"IBM Operational Decision Manager on Cloud"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
12 January 2022

UID

ibm16525696