IBM Support

APM v8.1.4.0 Server Hot Fix for Log4j Vulnerabilities

News


Abstract

APM v8.1.4.0 Server Hot Fix for Log4j Vulnerabilities

Content

The APM v8.1.4.0 Server installs an Online Help application that contains Log4j v2.3. A vulnerability was found in this version of Log4j that is documented by CVE-2021-44228 and fixed in Log4j v2.17.1.  The vulnerable version of Log4j v2.3 can be replaced by Log4j v2.17.1 by following the procedure below.  This procedure is also used to update from log4j versions that were installed by previously applied hotfixes which may have been vulnerable to CVE-2021-44832 and CVE-2021-45105.
1. Download the four Log4j v2.17.1 jar files attached to this TechNote and store them in a directory that is accessible from the APM v8.1.4.0 Server.
- log4j-slf4j-impl-2.17.1.jar
- log4j-1.2-api-2.17.1.jar
- log4j-core-2.17.1.jar
- log4j-api-2.17.1.jar

2. Log into the APM Server as root and change to the directory of the installed Log4j v2.3 files. Replace <apm_install_dir> with the directory that APM was installed into.
# cd <apm_install_dir>/wlp/usr/servers/apmui/apps/kc.war/WEB-INF/lib
3. Move the existing Log4j jar files to a backup location of your choice.
# mv  ./log4j-*  /tmp
4. Copy in the Log4j v2.17.1 jar files previously downloaded. The following copies the files from the /root directory.
# cp /root/log4j* .
5. Restart server1 and apmui
# apm stop apmui && apm restart server1 && apm start apmui
The result should leave only Log4j v2.17.1 jar files in this directory.
This procedure does not change the functionality of Online Help.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"ARM Category":[{"code":"a8m0z0000001f5oAAA","label":"Security Vulnerabilities"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.1.4"}]

Document Information

Modified date:
05 January 2022

UID

ibm16526216

Page Feedback