How Apache Log4J Security Vulnerabilities affect IBM Personal Communications?

Question & Answer

Question

Cause

Summary: A critical security vulnerability CVE-2021-44228 has been identified with Apache Log4j2. JNDI features of Apache Log4j2 do not protect against attacker controlled LDAP and other JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0

Confirmed Versions Affected: all versions from 2.0-beta9 to 2.14.1

Description: Apache Log4j2 <= 2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Answer

Versions of IBM Personal Communications are not impacted by the security vulnerability, as the product does not use Log4J library.

Related Information

Apache Log4j Security Vulnerabilities

CVE-2021-44228 Detail

Remote code injection in Log4j

[{"Type":"MASTER","Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSEQ5Y","label":"Personal Communications"},"ARM Category":[{"code":"a8m0z0000000CBWAA2","label":"PCOMM"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"13.0.0;13.0.1;13.0.2;13.0.3;13.0.4;13.0.5;14.0.0;14.0.1;14.0.2;14.0.3;14.0.4"}]

Tips

How Apache Log4J Security Vulnerabilities affect IBM Personal Communications?

Question & Answer

Question

Cause

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?