IBM Support

Tech Note: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix workaround

Troubleshooting


Problem

Summary:

This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Versions Affected: All Apache Log4j2 <=2.14.1.

Vulnerability Details:

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system.Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions:

Affected Product(s)

Version(s)

IBM Informix Dynamic Server

14.10

IBM Informix Dynamic Server

12.10.x

Remediation/Fixes:

IBM InformixHQ 

This vulnerability only affects users using IBM InformixHQ 1.5.0 in Informix versions 14.10.xC6 or 12.10.xC15 and higher. IBM InformixHQ uses Apache Log4j2 2.14.0.

This vulnerability may be exploited while using InformixHQ.

Resolving The Problem

Workarounds and Mitigations:

All customers are encouraged to act quickly to update their systems.

Interim Fix

 

Administrators are advised to add "log4j2.formatMsgNoLookups=true" to the InformixHQ start up commands: 

To start InformixHQ Server:

java -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=utf-8 -jar informixhq-server.jar informixhq-server.properties &

 

To start InformixHQ Agent:

java -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=utf-8 -jar informixhq-agent.jar informixhq-agent.properties &

 

 

Users NOT using Informix HQ may remove the InformixHQ executable jar files located in INFORMIXDIR/hq directory.

Notes:

  1. Do not use InformixHQ startup scripts (InformixHQ.sh, InformixHQ.sh and InformixHQ.ksh) from $INFORMIXDIR/hq folder to start InfomixHQ server and agents as it does not include above mentioned system property.
  2. Do not start InformixHQ Agent using InformixHQ UI as internally above mentioned system property is not used.

 

See the related URL for official information pertaining to releases where this is remediated.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSB2ML","label":"Informix Dynamic Server"},"ARM Category":[{"code":"a8m0z0000001fu3AAA","label":"Informix System Admin-\u003EInformixHQ"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
18 April 2022

UID

ibm16527396