IBM Support

Is Business Process Manager affected by CVE-2021-44228?

Flashes (Alerts)


Abstract

I am using Business Process Manager. What is impact of CVE-2021-44228 on Business Process Manager?

Content

CVE-2021-44228 is related to a lookup feature in log4j v2. (Business Process Manager Security Bulletin).
See the notes on the known Business Process Manager, IBM Integration Designer, IBM Process Designer, Business Process Manager Enterprise Service Bus components impacted by CVE-2021-44228:
1) CVE-2021-44228  describes a vulnerability in the Apache Log4j 2.X Java library dubbed Log4Shell. Some Business Process Manager components use log4j 1.X. There is only one application that uses Log4j 2.X.
This application [IBM_BPM_KC_CI_<cluster>] is used to access IBM Documentation offline and is impacted by CVE-2021-4428. Manually uninstall the application [IBM_BPM_KC_CI_<cluster>] to remediate the impact: 
 
 From WebSphere Application Server admin console, select 
                 Applications > Application Types > WebSphere enterprise application
And locate the application IBM_BPM_KC_CI_<cluster> to apply uninstall action.
After this change, stop the whole deployment environment then restart the deployment environment.
2) Business Process Manager custom applications
IBM Business Process Manager allows building and running custom applications on the platform. Each of these applications may bring its own vulnerable version of log4j-core-2.x with it and use it. Customers must review all their applications log4j usage.
For Business Process Manager Advanced type of applications created with IBM Integration Designer,  the app is available in the file system of the runtime server in the installedApps directory and can be reviewed there.
For Business Process Manager Standard applications created using Process Designer, the development tool can be used for review.
This Business Automation blog shares more detail on Accessing process apps for vulnerable open source.
 
4)  IBM Integration Designer and desktop Process Designer are not impacted by CVE-2021-44228

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3PUM","label":"IBM Business Process Manager"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.7;8.6.0"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMTUS","label":"IBM Business Process Manager Enterprise Service Bus"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUTM6","label":"IBM Process Designer"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTLXK","label":"IBM Integration Designer"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
17 December 2021

UID

ibm16525822