IBM Support

What is the impact of CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-4104 and CVE-2019-17571 on my IBM Content Navigator deployment?

Newsletters


Abstract

What is the impact of CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-4104 and CVE-2019-17571 on my IBM Content Navigator deployment?

Content

CVE-2021-44228:
CVE-2021-44228 is related to a vulnerability, which exists in Apache log4j 2.0-beta9 through 2.14.1 (excluding security releases 2.12.2, 2.12.3, and 2.3.1).
  1. IBM Content Navigator (ICN) traditional application server installs (not containers) include log4j 1.x, which is not susceptible to the vulnerability detailed in CVE-2021-44228 except in the following scenario.
    • If you are on ICN 3.0.7 IF001, your environment has log4j 2.13 JAR files. If you upgraded from ICN 3.0.7 IF001 to a higher level, then your environment might still have log4j 2.13 JAR files left behind from the previous ICN 3.0.7 IF001 installation. Upgrade to ICN 3.0.7 IF002 or later (preferably, the latest interim fix, which is ICN 3.0.7 IF011 or ICN 3.0.9, 3.0.10 or 3.0.11). Then, delete these JAR files. The JAR files to be deleted and the locations where they can be found are listed next.
      • JAR files:
        • log4j-core.jar, log4j-api.jar, log4j-1.2-api.jar
      • Locations: 
        • <ECMClient>/configure/explodedformat/navigator/WEB-INF/lib
        • <WebSphere>/AppServer/profiles/<profile name>/installedApps/<cell>/navigator.ear/navigator.war/WEB-INF/lib
  2. IBM Content Navigator container deployments are impacted as follows by CVE-2021-44228
    • IBM Content Navigator container 3.0.9 and 3.0.10 deployments package log4j 2.x for Content Manager On Demand configuration only and are impacted by CVE-2021-44228.
    • IBM Content Navigator container 3.0.7 IF001 includes log4j 2.13 JAR files and is impacted by CVE-2021-44228.
    • Task Manager container 3.0.7, 3.0.9 and 3.0.10 deployments package log4j 2.x for certain Task Manager-specific use cases with IBM Content Manager or IBM FileNet Content Platform Engine 5.5.5 and earlier releases and are impacted by CVE-2021-44228.
    • An upgrade of IBM Content Navigator stand-alone container, Business Automation Navigator (BAN), or Task Manager (TM) container to the following releases fully mitigates the vulnerability: ICN container - ICN 3.0.11, ICN 3.0.10 LA004, ICN 3.0.9 LA008, ICN 3.0.7 IF002 or later ifix / BAN - 20.0.3 IF011, 21.0.2 IF006, 21.0.3 / Task Manager container - TM 3.0.11, TM 3.0.10 LA004, TM 3.0.9 LA008, TM 3.0.7 LA101.
  3. If you are on Task Manager container version 308 and pre-307 releases that are under continuing support, consider upgrading to one of the releases that are previously listed for fixes.
  4. If you are using IBM Knowledge Center Customer Installed (KCCI), see: https://www.ibm.com/support/pages/node/588187.
CVE-2021-45046 and CVE-2021-45105:

CVE-2021-45046 is related to a vulnerability that exists in Apache log4j 2.15.0.
CVE-2021-45105 is related to a vulnerability that exists in Apache log4j 2.0-alpha1 through 2.16.0.
  1. IBM Content Navigator traditional application server installs (not containers) include log4j 1.x, which is not susceptible to the vulnerabilities detailed in CVE-2021-45046 and CVE-2021-45105 except in the following scenario.
    • If you are on ICN 3.0.7 IF001, your environment has log4j 2.13 JAR files. If you upgraded from ICN 3.0.7 IF001 to a higher level, then your environment might still have log4j 2.13 JAR files left behind from the previous ICN 3.0.7 IF001 installation. Consider upgrading to ICN 3.0.7 IF002 or later (preferably, the latest interim fix, which is ICN 3.0.7 IF011 or ICN 3.0.9, 3.0.10 or 3.0.11). Then, delete these JAR files. The JAR files to be deleted and the locations where they can be found are listed next.
      • JAR files:
        • log4j-core.jar, log4j-api.jar, log4j-1.2-api.jar
      • Locations:
        • <ECMClient>/configure/explodedformat/navigator/WEB-INF/lib
        • <WebSphere>/AppServer/profiles/<profile name>/installedApps/<cell>/navigator.ear/navigator.war/WEB-INF/lib
  2. IBM Content Navigator container deployments are impacted as follows by CVE-2021-45046 and CVE-2021-45105. 
    • IBM Content Navigator container 3.0.9 and 3.0.10 deployments package log4j 2.15 for Content Manager On Demand configuration only and are impacted by CVE-2021-45046 and CVE-2021-45105.
    • IBM Content Navigator container 3.0.7 IF001 includes log4j 2.13 JAR files and is impacted by CVE-2021-45046 and CVE-2021-45105.
    • Task Manager container 3.0.7, 3.0.9 and 3.0.10 deployments include log4j 2.15 for certain Task Manager-specific use cases with IBM Content Manager or IBM FileNet Content Platform Engine 5.5.5 and earlier releases and are impacted by CVE-2021-45046 and CVE-2021-45105.
    • The log4j version that is included in ICN stand-alone container 3.0.11, TM container 3.0.11, and BAN 21.0.3 or the latest ifix releases of BAN 21.0.2, ICN 3.0.10, ICN 3.0.9, TM 3.0.10, TM 3.0.9, and TM 3.0.7 containers will be upgraded from log4j 2.15 to 2.17 by mid-January 2022.
    • BAN 20.0.3 IF011 includes log4j 2.17 and is not vulnerable to CVE-2021-45046 and CVE-2021-45105.
CVE-2021-4104 and CVE-2019-17571:

CVE-2021-4104 is related to a vulnerability that exists in Apache log4j 1.2
CVE-2019-17571 is related to a vulnerability that exists in Apache log4j 1.2
  1. IBM Content Navigator traditional application server installs (not containers) include log4j 1.x for the following scenarios.
    • IBM Content Navigator usage with IBM Content Manager (CM8) or IBM FileNet Content Platform Engine 5.5.5 and earlier.
    • Task Manager usage with IBM Content Manager (CM8) or IBM FileNet Content Platform Engine 5.5.5 and earlier.
    • Sync usage with IBM FileNet Content Platform Engine 5.5.5 and earlier.
  2. IBM Content Navigator container deployments include log4j 1.x for the following scenarios.
    • IBM Content Navigator usage with IBM Content Manager (CM8) or IBM FileNet Content Platform Engine 5.5.5 and earlier.
    • Sync usage with IBM FileNet Content Platform Engine 5.5.5 and earlier .
  3. CVE-2021-4104 requires a Log4j JMSAppender to be configured. CVE-2019-17571 requires SocketServer class to be configured. IBM Content Navigator (traditional installs and containers) including Task Manager and Sync, FileNet Content Platform Engine, and Content Manager (CM8) do not configure log4j JMSAppender or SockerServer classes and are not vulnerable to CVE-2021-4104 and CVE-2019-17571.
** This ICN technote is updated as new information and observations become available. Check the technote regularly for added impact and mitigation measures.
For more information on updates to Log4j 1.x in IBM Content Navigator deployments, see technote 6558800

[{"Type":"MASTER","Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"ARM Category":[{"code":"a8m0z0000001gtfAAA","label":"ICN-\u003ECore-\u003ESecurity Vulnerability"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 February 2022

UID

ibm16526164