Troubleshooting
Problem
CVE-2021-44228
The IBM Chief Information Security Office (CISO) has declared an override for recently published Apache Log4j remote code execution vulnerability CVE-2021-44228. The override due date for installing vendor-provided security updates is December 14, 2021. For more information, see An update on the Apache Log4j CVE-2021-44228 vulnerability.
CVE-2021-45046
It was found that the fix to address CVE-2021-44228 in the Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.
CVE-2021-45105
Apache Log4j 2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that terminates the process. This is also known as a Denial-of-Service (DoS) attack.
CVE-2021-44832
Apache Log4j 2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Apache Log4j version 2.17.1, Apache Log4j version 2.12.4, and Apache Log4j version 2.3.2.
Symptom
Product version | Log4j version |
---|---|
InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.5 fix packs (all) | 1.2.17 |
InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.6 Fix Pack 16 and earlier | 1.2.17 |
InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.6 Fix Pack 16 and later | 2.12.1 |
IBM Product Master 12.x | 2.13.2 |
Cause
Resolving The Problem
- Upgrade to the latest version of Apache Log4j (2.17.1 and later) as soon as possible. The security update is available from the Apache Logging Services website.
- For version 2.14.x and lower - The log4j2.formatMsgNoLookups defaults to false, which needs to be set to true in the Java Virtual Machine (JVM) as -Dlog4j2.formatMsgNoLookups=true or set the value of the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
- For CVE-2021-45105 and CVE-2021-45046
IBM Product Master does not use a non-default Pattern Layout with a Context Lookup and does not enable JMS Appender so is not impacted by CVE-2021-45105 and CVE-2021-45046. - For CVE-2021-44832
IBM Product Master does not use JDBC Appender so is not impacted by CVE-2021-44832.
- If you are using noncontainerized deployment using IBM WebSphere Application Server,
- Follow steps mentioned in the Setting generic JVM arguments in WebSphere Application Server to set -Dlog4j2.formatMsgNoLookups=true.
- Set the value of the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true which is applicable for all the services.
- If you are using containerized deployment using IBM WebSphere® Liberty,
- Edit following ConfigMap and set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable.
-
Edit the ConfigMap by using the following command.
oc edit configmap productmaster-<service>-configmap
Where configmap is,productmaster-admin-configmap
productmaster-elasticsearch-configmap
productmaster-fts-indexer-configmap
productmaster-fts-pim-configmap
productmaster-gds-configmap
productmaster-ml-configmap
productmaster-personaui-configmap
productmaster-restapi-configmap
productmaster-sch-configmap
productmaster-wfl-configmap -
Restart all the pods.
-
- Edit following ConfigMap and set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable.
- Above mitigation does not mitigate CVE-2021-45046 specific vulnerability. For more information, see Log4j – Apache Log4j Security Vulnerabilities.
- InfoSphere® Master Data Management Collaboration Server - Collaborative Edition 11.5 users who are on Java 7 should upgrade to release log4j version 2.12.2 when it becomes available.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
09 March 2022
UID
ibm16526142