IBM Support

Is IBM Content Manager impacted by the log4J security vulnerabilities related to CVE-2021-44228?

Question & Answer


Question

Is IBM Content Manager (CM 8) impacted by the log4J security vulnerabilities related to CVE-2021-44228?

Answer

The vulnerability described in CVE-2021-44228 is confirmed on log4j 2.x.  IBM Content Manager (CM 8) only uses log4j 1.x, so the vulnerability does not apply.  This applies to both IBM Content Manager Enterprise Edition and IBM Content Manager for z/OS.

Note that an instance of log4j-core-2.11.0.jar was inadvertently packaged with Content Manager Specific Web Services.  This jar file is not used by Content Manager and may be deleted from the web services deployment in WebSphere Application Server.  This file will only be seen if Content Manager Web Services is installed and deployed.

The issue described in CVE-2021-45046 also does not apply to IBM Content Manager.  This issue is only in log4j 2.x.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRS7Z","label":"IBM Content Manager Enterprise Edition"},"ARM Category":[{"code":"a8m0z0000001jkqAAA","label":"Content Manager-\u003ECM8 EE"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6.0"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLQWS","label":"Content Manager for z\/OS"},"ARM Category":[{"code":"a8m0z0000001jkvAAA","label":"Content Manager-\u003ECM8 for z\/OS"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"8.6.0"}]

Document Information

Modified date:
17 December 2021

UID

ibm16525854