Troubleshooting
Problem
Summary:
This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Versions Affected: All Apache Log4j2 <=2.14.1.
Vulnerability Details:
CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system.Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions:
Affected Product(s) |
Version(s) |
IBM Informix Dynamic Server |
14.10 |
IBM Informix Dynamic Server |
12.10.x |
Remediation/Fixes:
IBM InformixHQ
This vulnerability only affects users using IBM InformixHQ 1.5.0 in Informix versions 14.10.xC6 or 12.10.xC15 and higher. IBM InformixHQ uses Apache Log4j2 2.14.0.
This vulnerability may be exploited while using InformixHQ.
Resolving The Problem
Workarounds and Mitigations:
All customers are encouraged to act quickly to update their systems.
Interim Fix
Administrators are advised to add "log4j2.formatMsgNoLookups=true" to the InformixHQ start up commands:
To start InformixHQ Server:
java -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=utf-8 -jar informixhq-server.jar informixhq-server.properties &
To start InformixHQ Agent:
java -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=utf-8 -jar informixhq-agent.jar informixhq-agent.properties &
Users NOT using Informix HQ may remove the InformixHQ executable jar files located in INFORMIXDIR/hq directory.
Notes:
- Do not use InformixHQ startup scripts (InformixHQ.sh, InformixHQ.sh and InformixHQ.ksh) from $INFORMIXDIR/hq folder to start InfomixHQ server and agents as it does not include above mentioned system property.
- Do not start InformixHQ Agent using InformixHQ UI as internally above mentioned system property is not used.
See the related URL for official information pertaining to releases where this is remediated.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
18 April 2022
UID
ibm16527396