Is IBM Content Manager OnDemand (CMOD) Version 10.1 impacted by the log4j security vulnerabilities related to CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105?

Answer

IBM Content Manager OnDemand (CMOD) Version 10.1.0.10 uses log4j 2.17.1 and therefore is not impacted.

IBM Content Manager OnDemand (CMOD) Versions 10.1.0.0 through 10.1.0.5 are not affected, however Versions 10.1.0.6 through 10.1.0.9 are impacted.

In IBM Content Manager OnDemand Version 10.1, only the Full Text Search Exporter uses log4j 2.x.

There are two options to remediate log4j vulnerabilities in IBM Content Manager OnDemand (CMOD) Versions 10.1.0.6 through 10.1.0.9:

Option 1: Apply the latest fix pack

Apply the latest IBM Content Manager OnDemand (CMOD) fix pack, which is Version 10.1.0.10 or later. Upgrading to Version 10.1.0.10 or later is the recommended method for log4j remediation. When running the Full Text Search Exporter, be sure to adjust your CLASSPATH to account for the new jar file versions.

Option 2: Apply the latest security updates

To upgrade log4j 2.x for Content Manager OnDemand Version 10.1, perform the following:
1.    Go to https://logging.apache.org/log4j/2.x/download.html and download the most recent version.
2.    Extract the downloaded file. You should have a folder with several files, for example, log4j-api-2.17.1.jar and log4j-core-2.17.1.jar
3.    Remove log4j-api-2.6.1.jar and log4j-core-2.6.1.jar from the <OnDemand Install Dir>/jars directory.
4.    Copy log4j-api-2.17.1.jar and log4j-core-2.17.1.jar into the <OnDemand Install Dir>/jars directory.
5.    When running the Full Text Search Exporter, be sure to adjust your CLASSPATH to account for the new jar file versions.