IBM Support

IBM Product Master service: Apache Log4j remote code execution vulnerability - Log4Shell

Troubleshooting


Problem

CVE-2021-44228

The IBM Chief Information Security Office (CISO) has declared an override for recently published Apache Log4j remote code execution vulnerability CVE-2021-44228. The override due date for installing vendor-provided security updates is December 14, 2021. For more information, see An update on the Apache Log4j CVE-2021-44228 vulnerability.

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in the Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.

CVE-2021-45105

Apache Log4j 2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that terminates the process. This is also known as a Denial-of-Service (DoS) attack.

CVE-2021-44832

Apache Log4j 2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Apache Log4j version 2.17.1, Apache Log4j version 2.12.4, and Apache Log4j version 2.3.2.

Symptom

Any Log4j version before v2.17.1 is affected, including the v1 branch of Log4j, which is considered end of life (EOL).
IBM Product Master uses Log4j extensively to print messages hence all IBM Product Master users are impacted by this vulnerability.
Following are the Apache log4j versions that are used in IBM Product Master or InfoSphere® Master Data Management Collaboration Server - Collaborative Edition releases.
Product version Log4j version
1.0.x on IBM Cloud Pak for Data 4.0.x version 2.13.2

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSO3ZDL","label":"IBM Product Master Cartridge for IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8m0z000000GoylAAC","label":"Troubleshooting"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
12 January 2022

UID

ibm16526144

Page Feedback