IBM Support

I am using IBM Content Management Interoperability Services (IBM CMIS), what is the impact of CVE-2021-44228?

Flashes (Alerts)


Abstract

I am using IBM Content Management Interoperability Services (IBM CMIS), what is the impact of CVE-2021-44228?

Content

CVE-2021-44228 describes a vulnerability in the Apache Log4j 2.X Java library dubbed Log4Shell.
In IBM Content Management Interoperability Services (IBM CMIS) 3.0.6 onwards, log4j file is not used.  Therefore, IBM CMIS is not vulnerable to this vulnerability.
IBM CMIS includes IBM FileNet CMIS (FNCMIS), IBM Content Manager CMIS (CMCMIS) and IBM Content Manager OnDemand(CMOD)
Version releases older than IBM CMIS 3.0.6, use Log4j 1.x version which is not  vulnerable to this vulnerability.
For an IBM perspective on this vulnerability, review the information from IBM at:
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
NOTE:- Any log4j jar files found under CMIS folder can be deleted manually for CMIS 3.0.6 and above. This wont have any impact of CMIS functionality.
These are the list of files which can be deleted without any impact to CMIS functionality.
List of files

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"ARM Category":[{"code":"a8m50000000ChyqAAC","label":"CMIS"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
18 March 2022

UID

ibm16527958