IBM Support

IBM Enterprise Records is not affected by, or vulnerable to CVE-2021-44228

News


Abstract

Is IBM Enterprise Records (IER) affected by, or vulnerable to CVE-2021-44228?

Content

No, Enterprise Records is not affected by, or vulnerable to CVE-2021-44228 because the software does not use Log4j version 2.x. So, Enterprise Records is not vulnerable to the Log4Shell CVE.
Enterprise Records 5.2.1.5 and earlier versions do use Log4j version 1, Log4j 1.2.13 for logging, which continues to be distributed due to third-party dependencies. However, this version of Log4j is not vulnerable to the Log4Shell vulnerabilities.

If Enterprise Records is deployed on top of IBM WebSphere Application Server, refer to the following:
For the IBM perspective on this vulnerability, refer to the following IBM Product Security Incident Response (PSIRT) blog post:
An update on the Apache Log4j CVE-2021-44228 vulnerability

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVVQ","label":"IBM Enterprise Records"},"ARM Category":[{"code":"a8m0z000000CbTBAA0","label":"IBM Enterprise Records-\u003EDocumentation"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"5.2.1"}]

Document Information

Modified date:
20 December 2021

UID

ibm16528298