IBM Support

Security Bulletin: Vulnerability in Apache Log4j affects IBM Db2® Warehouse (CVE-2021-44228)

Security Bulletin


Apache Log4j open source library used by IBM® Db2® Warehouse is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature.

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Fix pack levels of IBM Db2 Warehouse V11.5 on all platforms are affected only if the following features are configured:


  •   DVM JDBC wrapper driver,
  •   NoSQL wrapper driver (for Hadoop),
  •   Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only)


Customers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the fix for this issue. These special builds are available based on the most recent fixpack level for the V11.5.6 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Release Fixed in Fix Pack

For information about how to update, see the following topics:

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability now.

To disable Log4j for the Db2 Federation feature, perform the following:

As root, perform the following commands:

    wvcli system disable -m "update db2set"

    su - dsadm -c "/opt/ibm/dsserver/bin/"

As db2inst1, perform the following commands:

    db2 force applications all

    db2 deactivate db bludb

    db2stop force

    rah 'ipclean -a'

    db2set DB2_JVM_STARTARGS="-Dlog4j2.formatMsgNoLookups=true"


    db2 activate db bludb

As root, perform the following commands:

    su - dsadm -c "/opt/ibm/dsserver/bin/"

    wvcli system enable -m "update db2set"

Get Notified about Future Security Bulletins




Change History

14 Jan 2022: Updated version affected to include all versions of Db2 Warehouse v11.5
17 Dec 2021: Added fix pack docker image tags for special builds on Linux 64-bit System z®, System z9® or zSeries®, Linux 64-bit, Linux 64-bit POWER™ little endian
16 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSRU6J","label":"IBM dashDB Local"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 January 2022