IBM Support

Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228)

Security Bulletin


There is a vulnerability in the Apache Log4j open source library. The library is used by Elasticsearch, a dependency of IBM Cloud Private, for logging messages to files. This bulletin identifies the security fixes to apply to address the Log4Shell vulnerability (CVE-2021-44228).

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Cloud Private3.1.0
IBM Cloud Private3.1.1
IBM Cloud Private3.1.2
IBM Cloud Private3.2.0
IBM Cloud Private3.2.1 CD
IBM Cloud Private3.2.2 CD


IBM strongly recommends addressing the vulnerability now by upgrading.


The recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:


For IBM Cloud Private 3.1.0: IBM Cloud Private 3.1.0 Patch


For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch


For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch


For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch


For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch


For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch


Workarounds and Mitigations


Get Notified about Future Security Bulletins



Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1 and 3.2.2

The ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This release upgrades the Log4j package to 2.17.0, which remediates the log4j vulnerabilities and should not trigger false positives in vulnerability scanners as was the case with Elasticsearch 6.8.21. 

Elasticsearch announcement (ESA-2021-31)


Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.0, 3.1.1, 3.1.2, and 3.2.0

Elasticsearch and Logstash within ibm-icplogging component have been updated to remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class from the log4j-core package. Some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, the mitigation sufficiently protects both remote code execution and information leakage.

Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation


Change History

15 Dec 2021: Initial Publication
21 Dec 2021: Patch updated to include Elasticsearch 6.8.22 which includes Log4j 2.17.0. 
22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0
18 Jan 2022: Add patch link for 3.1.0

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"all","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
27 January 2022