Question & Answer
Is IBM Content Manager (CM 8) impacted by the log4J security vulnerabilities related to CVE-2021-44228?
The vulnerability described in CVE-2021-44228 is confirmed on log4j 2.x. IBM Content Manager (CM 8) only uses log4j 1.x, so the vulnerability does not apply. This applies to both IBM Content Manager Enterprise Edition and IBM Content Manager for z/OS.
Note that an instance of log4j-core-2.11.0.jar was inadvertently packaged with Content Manager Specific Web Services. This jar file is not used by Content Manager and may be deleted from the web services deployment in WebSphere Application Server. This file will only be seen if Content Manager Web Services is installed and deployed.
The issue described in CVE-2021-45046 also does not apply to IBM Content Manager. This issue is only in log4j 2.x.
17 December 2021