IBM Support

CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Log4j vulnerabilities in IBM Rational Software Architect RealTime Edition

Question & Answer


Question

How does CVE-2021-44228 Log4j vulnerability affect IBM® Rational® Software Architect RealTime Edition (RSARTE) products?

Cause

Apache log4j is an open source component providing logging capabilities in some parts of IBM RSARTE. Recently a critical security vulnerability CVE-2021-44228 was discovered in it. To keep your RSA-RTE installations secure, IBM RSARTE version 11.1 2020.46 iFix1 is now available, which includes a version of log4j (2.15) where the vulnerability was addressed.

Answer

Both 11.0 and 11.1 versions of IBM RSARTE include Log4j. These are the versions of Log4j included in different versions of IBM RSARTE 11.0 and 11.1:

  • v11.0 2020.50  - 2021.10 include Log4j 2.5
  • v11.0 2021.16 includes Log4j 2.14
  • v11.1 2021.16 - 2021.46 include Log4j 2.14

Fix

New versions of IBM RSA-RTE 11.0 and 11.1 are available on Fix Central. Both versions have Log4j 2.15 replacing the older 2.x versions of Log4j.

Note that Eclipse 2019-06 (the version used by IBM RSARTE 11.0) includes Log4j 1.2.15 which is affected by CVE-2019-17571. Eclipse 2020-06 (the version used by IBM RSARTE 11.1) does not include any Log4j version.

UPDATE 2021-12-15: A new vulnerability CVE-2021-45046 has been published for Log4j. The RSARTE Development Team is currently investigating it to see if an iFix delivery is required. If feasible, Log4j will be uplifted to version 2.16 in the upcoming 11.1 2022.04 release shipping in February 2022.

The recommendation is to install IBM RSARTE v11.1 2021.46-iFix1.

Fix Central 11.0 version

Fix Central 11.1 version

UPDATE 2021-12-16: New versions of RSARTE v11.0 and v11.1 have been published. These releases include Log4j version 2.16, which addresses the CVE-2021-45046  vulnerability.

The versions are located at the following sites:

Fix Central 11.0 version

Fix Central 11.1 version

The recommendation is to install v11.1 2021.46-ifix2

UPDATE 2021-12-23: New versions of RSARTE v10.3, v11.0, and v11.1 have been published. These releases include Log4j version 2.17, which addresses the CVE-2021-45105 vulnerability.

The versions are located at the following sites:

Fix Central 10.3 version

Fix Central 11.0 version

Fix Central 11.1 version

The recommendation is to install v11.1 2021-46-ifix3

[{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS5JSH","label":"Rational Software Architect RealTime Edition"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

RSARTE

Document Information

Modified date:
04 January 2022

UID

ibm16526170

Page Feedback