Flashes (Alerts)
Abstract
For customers using FileNet Content Manager, IBM Content Foundation or IBM Case Foundation.
None of these products are impacted by the recently reported Apache Log4j security vulnerabilities.
Content
- CVE-2021-44228 describes a vulnerability in Apache Log4j applicable to version 2.15 and lower versions of 2.x, dubbed Log4Shell.
- CVE-2021-45046 describes a vulnerability in Apache Log4j applicable to version 2.15.
- CVE-2021-45105 describes a vulnerability in Apache Log4j applicable to version 2.16.
- CVE-2021-4104 describes a vulnerability in Apache Log4j version 1.2.x applicable when a JMSAppender is configured.
- CVE-2022-23302 describes a vulnerability in Apache Log4j v1.x with JMSSink.
- CVE-2022-23305 describes a vulnerability in Apache Log4j v1.2.x with JDBCAppender.
- CVE-2022-23307 describes a vulnerability in Apache Log4j v1.x deserialization issue that was present in Apache Chainsaw.
- CVE-2019-17571 describes a vulnerability in the Apache Log4j version 1.2.x applicable when a SocketServer is configured.
- CVE-2019-17571 requires a Log4j SocketServer to be configured and the Log4j SocketServer process to be started. Content Platform Engine and Content Search Services do neither of these.
- CVE-2021-4104 requires a Log4j JMSAppender to be configured. Content Platform Engine and Content Search Services do not configure a Log4j JMSAppender.
- CVE-2022-23302 requires a Log4j JMSSink to be configured. Content Platform Engine and Content Search Services do not configure a Log4j JMSSink.
- CVE-2022-23305 requires a Log4j JDBCAppender to be configured. Content Platform Engine and Content Search Services do not configure a Log4j JDBCAppender.
- CVE-2022-23307 requires Apache Chainsaw, to be configured. Content Platform Engine and Content Search Services do not configure or use Apache Chainsaw.
To completely remove all log4j-1.2.17.jar from all 3rd party dependencies, upgrade to:
Patch ID | Release Date |
5.5.4.0-P8CPE-IF008 5.5.4.0-P8CSS-IF008 |
May 23, 2022 |
5.5.8.0-P8CPE-IF001 5.5.8.0-P8CSS-IF001 |
March 22, 2022 |
5.5.9.0-P8CPE 5.5.9.0-P8CSS |
June 24, 2022 |
5.0.0.5-P8SD-FP005 | February 17, 2022 |
- Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)
- Security Bulletin: IBM Planning Analytics 2.0: Apache Log4j Vulnerabilities (CVE-2021-45046 & CVE-2021-45105).
- Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046).
Vulnerability Details
December 2021 CVE's
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-4104
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
January 2022 CVE's
CVEID: CVE-2022-23302
DESCRIPTION: Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-23305
DESCRIPTION: Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-23307
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
2019 CVE's
CVEID: CVE-2019-17571
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Related Information
Was this topic helpful?
Document Information
Modified date:
14 December 2023
UID
ibm16526036