Security Bulletin
Summary
Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This bulletin covers the vulnerability caused when using versions of log4j earlier than 2.0. This version of the library is used by the ECM (Text Search) feature . CVE-2021-44228 is addressing a critical vulnerability in 2.0 <= log4j <= 2.15.0 covered in a separate security bulletin. Please see CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for bulletins relating to Log4j V2.
Vulnerability Details
CVEID: CVE-2021-4104
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
The ECM (Text Search Server) feature in all fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 for all server editions on all platforms are affected.
IBM Db2 V10.1 and V9.7 are not affected.
In the V11.1 release, the Hadoop federation wrapper is also impacted.
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP6, V11.5.6, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.
For ECM (Text Search Server)
If you are using Db2 Text Search with rich text filters, after these special builds are applied, you will be required to upgrade your version of rich text filters in addition to Db2 Text search. Appropriate rich text filters (in this case version 8.5.5) for each Db2 release can be downloaded from the Db2 accessories suite page.
For details, see here.
For Install (Installation Manager)
We recommend that you download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).
It was determined through further investigation that while Installation Manager was found to not be impacted by CVE-2021-4104, as the Installation Manager does not use log4j in a manner that exposes the vulnerability, it does include the older version of the library.
For v11.1.x, install the Db2 fix listed in the table above for Linux 32-bit, Linux 63-bit, Windows 32-bit and/or Windows 64-bit. This fix replaces the existing log4j jar file with an empty jar file. While the vulnerability is mitigated with this fix, a scan will still show the existence of the jar file. Alternatively you may download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).
For earlier versions, we recommend that you download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).
Workarounds and Mitigations
For ECM (Text Search):
The vulnerable jar can be patched to mitigate the vulnerability.
Note: Do not issue START/STOP Db2 text search server if Db2 text search is not configured.
On Linux and Unix:
Stop the TextSearch server: "db2ts stop for text".
Remove the JMSAppender.class file via two options:
Here is the command:
zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
If you do not have access to 'zip', you can also use the 'jar' command.
#assume log4j-1.2.17.jar exists in current directory
mkdir tmp
cd tmp
jar xvf ../log4j-1.2.17.jar
rm org/apache/log4j/net/JMSAppender.class
jar cvf ../log4j-1.2.17-patched.jar .
cd ..
rm log4j-1.2.17.jar
ln -s log4j-1.2.17-patched.jar log4j-1.2.17.jar
rm -rf tmp
Start the TextSearch server: "db2ts start for text".
On Windows the Java jar tool with CMD can be used to follow the similar Unix instructions when using jar.
Stop the TextSearch server: "db2ts stop for text" in the Db2 command line. Start the Windows CMD program and go to the SQLLIB\db2tss\lib directory which is found in the installation path e.g. "cd C:\ProgramFiles\IBM\SQLLIB\db2tss\lib" Make a copy of the log4j-1.2.17.jar file e.g. "cp log4j-1.2.17.jar log4j-1.2.17.jar.bak" Make a new directory e.g. "mkdir tmp" Change to the new directory e.g. "cd tmp" Extract the jar file using the jar program found in the JDK that is in the SQLLIB\java path e.g. "..\..\..\java\jdk\bin\jar xvf ..\log4j-1.2.17.jar" Delete the JMSAppender.class file e.g. "del org\apache\log4j\net\JMSAppender.class" Package the files back into the jar e.g. "..\..\..\java\jdk\bin\jar xvf ..\log4j-1.2.17-patched.jar ." Replace the log4j-1.2.17.jar with log4j-1.2.17-patched.jar. e.g. "cd ..", "del log4j-1.2.17.jar", "ren log4j-1.2.17-patched.jar log4j-1.2.17.jar". Cleanup the "tmp" folder. Start the TextSearch server: "db2ts start for text" in the Db2 command line.
For version 11.1 on linux and unix platforms only (not on Windows), the log4j-1.2.17.jar file under "/opt/IBM/db2/V11.1/federation/restservice/hadoop" in the Db2 installation location may be safely removed.
Subsequent installation of fixpacks may result in the error:
ERROR: Some error occurred while moving files during backup or restore to directory, "/opt/IBM/db2/<version>/.backup". The return code is "4394967295".
To resolve this apply the fixpack with the -f nobackup flag.
This file does not exist on Db2 versions prior to 11.1
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
06 June 2022: Added mitigation to remove log4j from hadoop wrapper on linux/unix and links to other related Log4j bulletins
31 Jan 2022: Added 10.5 links for Windows 64-bit and Windows 32-bit fix packs.
31 Dec 2021: Added 10.5 links for AIX 64-bit, Linux 32-bit and Linux 64-bit fix packs.
29 Dec 2021: Added 11.1.4.6 links for Windows 32-bit and Solaris 64-bit fix packs
28 Dec 2021: Updated ECM Text Search section to reflect that: text search server should not be stopped or started if the customer is not using text search, and added the instructions to copy the patched jar in place of the original.24 Dec 2021: Removed Install section as impacted as further investigation determined that Installation Manager was not affected by this vulnerability, thus Db2 is not vulnerable from that dependency. Added 11.1.4.6 link for Windows 64-bit fix pack
22 Dec 2021: Added 10.5 link for Inspur. Clarified server and client impact for each issue
21 Dec 2021: Added 11.5.6 links for Windows 32-bit and Windows 64-bit fix packs. Added 11.5.7 links for Windows 32-bit and Windows 64-bit fix packs
21 Dec 2021: Updated note that the 11.5.6 builds are the same as the one for CVE-2021-44228. Updated description of Db2 Text Search update.
20 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
07 June 2022
UID
ibm16528678