IBM Support

Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)

Security Bulletin


Summary

There is a vulnerability in the Apache Log4j open source library used by WebSphere Application Server. This affects the WebSphere Application Server Admin Console and the UDDI Registry Application. This vulnerability has been addressed.

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
WebSphere Application Server 9.0
WebSphere Application Server 8.5

Remediation/Fixes

The fix in this bulletin has been superseded by bulletin  Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046) The recommended solution is to install interim fix PH42762.

For WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.10:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42728
--OR--
· Apply Fix Pack 9.0.5.11 or later (when available). 

For V8.5.0.0 through 8.5.5.20:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42728
--OR--
· Apply Fix Pack 8.5.5.21 or later (when available). 

Additional interim fixes may be available and linked off the interim fix download page.

Required next steps:

1) If the UDDI Registry Application is running on the WebSphere Application Server, then after applying the Interim Fix PH42728, redeploy the UDDI Registry Application.

2) The "kc.war" application is removed from the installableApps/ directory by this fix.  If this application has been installed (deployed) to any application server (separately from isclite.ear), it must be manually uninstalled via the the Admin Console or wsadmin.

Additional recommendations:

Follow these additional steps while you are assessing your enterprise applications for log4j2 usage:

1. Recommended: Update the IBM® SDK, Java™ Technology Edition maintenance to the latest recommended fix pack, or a minimum of 7.0.10.35,  7.1.4.35, or 8.0.5.25 You can get the latest IBM Java fix pack for WebSphere here: https://www.ibm.com/support/pages/node/587245 (9.0) & https://www.ibm.com/support/pages/node/6209712 (8.5)

2. Set the JVM custom property log4j2.formatMsgNoLookups to the value true

Note: WebSphere Application Server 7.0 and 8.0 reached End of Support on April 30, 2018 and the embedded IBM Java SDK is no longer receiving security updates. Current information is that the version of log4j included in WebSphere Application Server 7.0 and 8.0 is not impacted by CVE-2021-44228. IBM recommends all users running 7.0 and 8.0 upgrade to 8.5.5, 9.0 or WebSphere Liberty.

Workarounds and Mitigations

For WebSphere Application Server v9.0 and V8.5:

If the interim fixes in PH42728 cannot be applied immediately, then follow ALL of the temporary mitigation steps below:

1. Recommended: Update the IBM® SDK, Java™ Technology Edition maintenance to the latest recommended fix pack, or a minimum of 7.0.10.35,  7.1.4.35, or 8.0.5.25. You can get the latest IBM Java fix pack for WebSphere here: https://www.ibm.com/support/pages/node/587245 (9.0) & https://www.ibm.com/support/pages/node/6209712 (8.5)

2. For WebSphere Application Server v9.0 only: Remove <WAS_HOME>/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar from any system running the WebSphere admin console

  • The files will need to be removed again if fixpacks are applied prior to PH42728 being installed.
  • After removing the files, restart the application server running the Admin Console.

3. Set the JVM custom property log4j2.formatMsgNoLookups to the value true

4. If the "kc.war" application has been installed (deployed) to any application server (separately from isclite.ear), it must be manually uninstalled via the the Admin Console or wsadmin.  

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

12 Dec 2021: Initial Publication
13 Dec 2021: Corrected Java versions for recommended SDK update

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5, 9.0","Edition":"Advanced,Base,Developer,Enterprise,Express,Network Deployment,Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 December 2021

UID

ibm16525706