IBM Support

QRadar: Addendum to Apache Log4j CVE-2021-44228 vulnerability information (Updated)

News


Abstract

This technical note is an addendum to assist users and clarify QRadar product offerings affected by the Apache Log4j CVE-2021-44228 vulnerability. The content in this technical note is intended as a reference to clarify QRadar SIEM products not susceptible to CVE-2021-44228 and does not supersede information provided directly to users in flash notices by IBM Product Security teams.

Content

Change list


  • 15 December 2021: Initial publication released to define IBM QRadar SIEM products and appliances not affected by CVE-2021-44228.
  • 16 December 2021 (10 AM EST): Added QFlow Processors (12xx) as not susceptible. Added a note to inform users that products not displayed on the list are under investigation.
  • 16 December 2021 (3 PM EST): Added a link for an issue under investigation for User Behavior Analytics versions 4.1.3 and 4.1.4. Links to download UBA are temporarily disabled while this issue is under review. 
  • 17 December 2021 (8 PM EST): Release of UBA 4.1.5. This update resolves the database migration issue and includes a mitigation for CVE-2021-44228 as described in the User Behavior Analytics Log4j security bulletin.
  • 20 December 2021 (4:30 PM EST): QRadar Risk Manager security bulletin added. Software is available on IBM Fix Central for QRadar 7.4.3 Fix Pack 2 Interim Fix 2 and 7.3.3 Fix Pack 10 Interim Fix 1 for administrators with QRadar Risk Manager appliances.

IBM Security issued a list of non-affected products to administrators and users as 'An update on the Apache Log4j CVE-2021-44228 vulnerability'. To provide more information and clarify QRadar products not affected by CVE-2021-44228, the content in this technical note clarifies what products are generically referred to as 'QRadar SIEM' in the IBM Security information.

Note: The following list is considered incomplete. The change list can be used to identify updates to the technical note as development teams confirm product susceptibility to CVE-2021-44228.

Known affected products with existing bulletins for CVE-2021-44228:
  1. QRadar Disconnected Log Collector (DLC)
    For more information, see Disconnected Log Collector Guide.
  2. User Behavior Analytics
    Note: Upgrade configuration issues resolved with the release of UBA V4.1.5. For more information, see User Behavior Analytics app missing configuration after upgrade to UBA V4.1.3 or V4.1.4.
  3. QRadar Risk Manager
    Note: QRadar software upgrades use a single SFS file to update multiple products. The interim fix applies mitigations to IBM QRadar Risk Manager, along with IBM QRadar SIEM and other products, even if the software does not require any mitigations. Customers who do not use QRadar Risk Manager can also apply this fix to update the unused vulnerable components.
QRadar products not susceptible to CVE-2021-44228:
  • QRadar SIEM Consoles (31xx)
    • QRadar Flow Collectors (12xx)
    • QRadar Event Collectors (15xx)
    • QRadar Event Processors (16xx)
    • QRadar Flow Processors (17xx)
    • QRadar Event and Flow Processors (18xx)
    • QRadar Data Node (14xx)
    • QRadar App Host (4000)
    • WinCollect agents (32-bit and 64-bit)
  • QRadar on Cloud Consoles (31xx)
    • Data Gateway (7000)
  • QRadar Vulnerability Manager (600)
  • QRadar Log Manager (8xxx)
  • QRadar Incident Forensics (6000 or 6100)
  • QRadar Network Insights (6200 - 6600)
  • QRadar Network Packet Capture
  • IBM Security QRadar Packet Capture

    Note: Products that do not appear on this list are under investigation.

 
Are QRadar applications affected by CVE-2021-44228?
Most QRadar applications are not susceptible to the Log4j issue as they do not include Java code or dependencies. The list of applications on this list refers to both app framework V1 (CentOS 6) and V2 (Universal Base Image) apps on the IBM X-Force App Exchange.

The following IBM-developed applications are confirmed as not susceptible to CVE-2021-44228, despite containing Java code or dependencies:
 
  • Network Traffic Analysis app
  • QRadar Advisor with Watson app
  • IBM QRadar DNS Analyzer app

Important: Administrators who use applications built on application framework V1 need to review the following support notice and upgrade applications to 7.3.3 Fix Pack 6+/7.4.1 Fix Pack 2+ versions. For more information, see Notice: CentOS6 applications and mitigation for CVEs.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtjAAA","label":"Vulnerabilities"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
20 December 2021

UID

ibm16526712