IBM Support

IBM FileNet Content Platform Engine and Content Search Services are not affected by or vulnerable to known Apache Log4j vulnerabilities

Flashes (Alerts)


Abstract

For customers using FileNet Content Manager, IBM Content Foundation or IBM Case Foundation.
None of these products are impacted by the recently reported Apache Log4j security vulnerabilities.

Content

In December 2021, multiple security vulnerabilities were reported in Apache Log4j.
  • CVE-2021-44228 describes a vulnerability in Apache Log4j applicable to version 2.15 and lower versions of 2.x, dubbed Log4Shell.
  • CVE-2021-45046 describes a vulnerability in Apache Log4j applicable to version 2.15.
  • CVE-2021-45105 describes a vulnerability in Apache Log4j applicable to version 2.16.
  • CVE-2021-4104 describes a vulnerability in Apache Log4j version 1.2.x applicable when a JMSAppender is configured.
In January 2022, these new security vulnerabilities were reported in Apache Log4j.
  • CVE-2022-23302 describes a vulnerability in Apache Log4j v1.x with JMSSink.
  • CVE-2022-23305 describes a vulnerability in Apache Log4j v1.2.x with JDBCAppender.
  • CVE-2022-23307 describes a vulnerability in Apache Log4j v1.x deserialization issue that was present in Apache Chainsaw.
Previously, in 2019 another security vulnerability was reported in Apache Log4j.
  • CVE-2019-17571 describes a vulnerability in the Apache Log4j version 1.2.x applicable when a SocketServer is configured.
The FileNet Content Manager, IBM Content Foundation and IBM Case Foundation products have never used or included any version of Apache Log4j 2.x.  Therefore, they are not vulnerable to CVE-2021-44228 (Log4Shell), CVE-2021-45046 or CVE-2021-45105. 
Content Platform Engine and Content Search Services did use Log4j version 1.2.17 in older releases (5.5.5 and earlier).   However, these releases are not vulnerable to CVE-2019-17571, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 or CVE-2022-23307. 
  • CVE-2019-17571 requires a Log4j SocketServer to be configured and the Log4j SocketServer process to be started.  Content Platform Engine and Content Search Services do neither of these.
  • CVE-2021-4104 requires a Log4j JMSAppender to be configured.  Content Platform Engine and Content Search Services do not configure a Log4j JMSAppender.
  • CVE-2022-23302 requires a Log4j JMSSink to be configured.  Content Platform Engine and Content Search Services do not configure a Log4j JMSSink.
  • CVE-2022-23305 requires a Log4j JDBCAppender to be configured.  Content Platform Engine and Content Search Services do not configure a Log4j JDBCAppender.
  • CVE-2022-23307 requires Apache Chainsaw, to be configured.  Content Platform Engine and Content Search Services do not configure or use Apache Chainsaw.
In Content Platform Engine and Content Search Services 5.5.6 and later, Java Utility Logging (JUL) replaced Log4j. 
Log4j 1.2.17 continues to be distributed with Content Platform Engine 5.5.6 and later due to 3rd party dependencies.  However,  these 3rd party dependencies are also not vulnerable to CVE-2019-17571, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 or CVE-2022-23307 for the same reasons stated above.

To completely remove all log4j-1.2.17.jar from all 3rd party dependencies, upgrade to:
Log4j completely removed in releases
Patch ID Release Date
5.5.4.0-P8CPE-IF008
5.5.4.0-P8CSS-IF008
May 23, 2022
5.5.8.0-P8CPE-IF001
5.5.8.0-P8CSS-IF001
March 22, 2022
5.5.9.0-P8CPE
5.5.9.0-P8CSS
June 24, 2022
5.0.0.5-P8SD-FP005 February 17, 2022

 
Note that it is NOT possible to substitute and replace an existing Log4j version 1.2.17 with Log4j version 2.x.  Log4j version 2.x is not backward compatible with version 1.x.
If you are running Content Platform Engine within WebSphere Application Server, see:  
For the IBM perspective on this vulnerability, review the information at:

Vulnerability Details

December 2021 CVE's

CVEID:   CVE-2021-45046
DESCRIPTION:   Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2021-45105
DESCRIPTION:   Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2021-4104
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


January 2022 CVE's

CVEID:   CVE-2022-23302
DESCRIPTION:  Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-23305
DESCRIPTION:  Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2022-23307
DESCRIPTION:  Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

2019 CVE's

CVEID:   CVE-2019-17571
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"ARM Category":[{"code":"a8m0z0000004D40AAE","label":"Content Engine"},{"code":"a8m0z0000004CmzAAE","label":"Process Engine"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGLW6","label":"IBM Content Foundation"},"ARM Category":[{"code":"a8m0z0000004D40AAE","label":"Content Engine"},{"code":"a8m0z0000004CmzAAE","label":"Process Engine"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTHRT","label":"IBM Case Foundation"},"ARM Category":[{"code":"a8m0z0000004D40AAE","label":"Content Engine"},{"code":"a8m0z0000004CmzAAE","label":"Process Engine"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
08 June 2022

UID

ibm16526036