This technical note is an addendum to assist users and clarify QRadar product offerings affected by the Apache Log4j CVE-2021-44228 vulnerability. The content in this technical note is intended as a reference to clarify QRadar SIEM products not susceptible to CVE-2021-44228 and does not supersede information provided directly to users in flash notices by IBM Product Security teams.
- 15 December 2021: Initial publication released to define IBM QRadar SIEM products and appliances not affected by CVE-2021-44228.
- 16 December 2021 (10 AM EST): Added QFlow Processors (12xx) as not susceptible. Added a note to inform users that products not displayed on the list are under investigation.
- 16 December 2021 (3 PM EST): Added a link for an issue under investigation for User Behavior Analytics versions 4.1.3 and 4.1.4. Links to download UBA are temporarily disabled while this issue is under review.
- 17 December 2021 (8 PM EST): Release of UBA 4.1.5. This update resolves the database migration issue and includes a mitigation for CVE-2021-44228 as described in the User Behavior Analytics Log4j security bulletin.
- 20 December 2021 (4:30 PM EST): QRadar Risk Manager security bulletin added. Software is available on IBM Fix Central for QRadar 7.4.3 Fix Pack 2 Interim Fix 2 and 7.3.3 Fix Pack 10 Interim Fix 1 for administrators with QRadar Risk Manager appliances.
Note: The following list is considered incomplete. The change list can be used to identify updates to the technical note as development teams confirm product susceptibility to CVE-2021-44228.
Known affected products with existing bulletins for CVE-2021-44228:
- QRadar Disconnected Log Collector (DLC)
For more information, see Disconnected Log Collector Guide.
- User Behavior Analytics
Note: Upgrade configuration issues resolved with the release of UBA V4.1.5. For more information, see User Behavior Analytics app missing configuration after upgrade to UBA V4.1.3 or V4.1.4.
- QRadar Risk Manager
Note: QRadar software upgrades use a single SFS file to update multiple products. The interim fix applies mitigations to IBM QRadar Risk Manager, along with IBM QRadar SIEM and other products, even if the software does not require any mitigations. Customers who do not use QRadar Risk Manager can also apply this fix to update the unused vulnerable components.
- QRadar SIEM Consoles (31xx)
- QRadar Flow Collectors (12xx)
- QRadar Event Collectors (15xx)
- QRadar Event Processors (16xx)
- QRadar Flow Processors (17xx)
- QRadar Event and Flow Processors (18xx)
- QRadar Data Node (14xx)
- QRadar App Host (4000)
- WinCollect agents (32-bit and 64-bit)
- QRadar on Cloud Consoles (31xx)
- Data Gateway (7000)
- QRadar Vulnerability Manager (600)
- QRadar Log Manager (8xxx)
- QRadar Incident Forensics (6000 or 6100)
- QRadar Network Insights (6200 - 6600)
- QRadar Network Packet Capture
- IBM Security QRadar Packet Capture
Note: Products that do not appear on this list are under investigation.
Most QRadar applications are not susceptible to the Log4j issue as they do not include Java code or dependencies. The list of applications on this list refers to both app framework V1 (CentOS 6) and V2 (Universal Base Image) apps on the IBM X-Force App Exchange.
The following IBM-developed applications are confirmed as not susceptible to CVE-2021-44228, despite containing Java code or dependencies:
- Network Traffic Analysis app
- QRadar Advisor with Watson app
- IBM QRadar DNS Analyzer app
Important: Administrators who use applications built on application framework V1 need to review the following support notice and upgrade applications to 7.3.3 Fix Pack 6+/7.4.1 Fix Pack 2+ versions. For more information, see Notice: CentOS6 applications and mitigation for CVEs.
Was this topic helpful?
20 December 2021