IBM Support

Is IBM Case Manager affected by or vulnerable to CVE-2021-44228?

Newsletters


Abstract

Is IBM Case Manager affected by or vulnerable to CVE-2021-44228?

Content

IBM Case Manager is not affected or vulnerable to CVE-2021-44228.
A component or product is vulnerable to CVE-2021-44228 when
  • The application or component is using the Log4j, with version 2.0 to 2.14.1
  • If Log4j 2.x is included with the application, it includes the vulnerable org/apache/logging/log4j/core/lookup/JndiLookup.class.
IBM Case Manager is not affected or vulnerable to CVE-2021-44228 for the following reasons.
  1. In most places, IBM Case Manager components use Log4j 1.x.  Log4j 1.x is not affected by this vulnerability.
  2. There is one IBM Case Manager component that use Log4j 2.x.  The Log4j 2.x JAR file that is included with this component does not include the vulnerable JndiLookup class.
    • Case event emitter for Business Automation Insights
Note: If you have custom applications or components used with IBM Case Manager, ensure you review the custom applications or components for its use of Log4j. Ensure that the version being used is not affected or vulnerable to CVE-2021-44228.
If you are running IBM Case Manager within WebSphere Application Server, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) for additional information.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCTJ4","label":"IBM Case Manager"},"ARM Category":[{"code":"a8m0z000000cwEvAAI","label":"Case Management"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 December 2021

UID

ibm16525856