Security Bulletin
Summary
IBM Sterling File Gateway is impacted by Apache Log4j vulnerabilities CVE-2021-45105 and CVE-2021-45046. Final remediation images published below. As an alternative to the final remediation images, manual mitigation steps are also provided below.
Vulnerability Details
CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process.
Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Affected Product(s) | Version(s) |
IBM Sterling File Gateway | 6.0.0.0 - 6.1.1.0 |
Note that remote perimeter server, CLA2, OpsServer and external purge has been assessed for impact and were found to be not affected.
Due to concern surrounding Apache Log4j CVE-2021-45046 and CVE-2021-45105, end-of-support stream IBM Sterling B2B Integrator Version 5.2.x has been assessed for impact the versions and fix packs below were found to be not affected by CVE-2021-45046 and CVE-2021-45105:
5020605_3 and all lower fix packs
5020604 and all fix packs
5020603 and all fix packs
5020602 and all fix packs
5020601 and all fix packs
5020600 and all fix packs
5020500 and all fix packs
5020402 and all fix packs
Remediation/Fixes
Affected Product(s) | Version(s) |
IBM Sterling File Gateway |
IIM Step 1: Apply IBM Sterling Filegateway IIM version 6.0.0.7, 6.0.3.5, 6.1.0.4, 6.1.1.0, 6.0.2.3 or 6.0.1.2
Step 2: Apply the remediating ifix 6.0.0.7_1, 6.0.3.5_1, 6.1.0.4_1 , 6.1.1.0_1, 6.0.2.3._1 or 6.0.1.2_1 that are located on Fix Central Also for 6.1.1.0 after applying the remediating ifix 6.1.1.0_1, additionally follow the steps in this technote. Docker & Containers Step 1: Apply either IBM Sterling Filegateway Docker version 6.0.0.7, 6.0.3.5 or 6.1.0.4, Step 2: Next apply one of the remediating ifixes below: IBM Sterling Filegateway Docker version 6.0.0.7_1 on Fix Central IBM Sterling Filegateway Docker version 6.0.3.5_1 on Fix Central IBM Sterling Filegateway Container version 6.1.0.4_1 |
Workarounds and Mitigations
If you are unable to apply the remediated fix packs above, as an alternative IBM strongly recommends addressing the vulnerability by applying one of these mandatory remediation steps below now.
Before applying any of the Workarounds and Mitigations below ensure that the file system of IBM Sterling B2B Integrator has been fully backed up.
Linux: The following script can be applied to Linux B2Bi ASI node and Adapter Container nodes. Please ensure to read the included readme file before applying.
AIX: The following script can be applied to AIX B2Bi ASI node and Adapter Container nodes. Please ensure to read the included readme file before applying.
Docker Container or OCP: The following document with steps can be manually applied to Docker Container or OCP B2Bi ASI node and Adapter Container nodes:
Windows: The following document with steps can be manually applied to Windows B2Bi ASI node and Adapter Container nodes:
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
21 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
18 February 2022
UID
ibm16537670