IBM Support

Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105)

Security Bulletin


Summary

There are Remote Attack Vulnerabilities in Apache Log4j (CVE-2021-45105, CVE-2021-45046, CVE-2021-44832) which is used by the IBM Engineering Lifecycle Management products for logging . The fix includes upgrade to Apache log4j v2.17.1.

Vulnerability Details

CVEID:   CVE-2021-44832
DESCRIPTION:   Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-45105
DESCRIPTION:   Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2021-45046
DESCRIPTION:   Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

The following IBM Engineering Lifecycle Management products (IBM Jazz Team Server based Applications) are affected: Collaborative Lifecycle Management (CLM), Engineering Lifecycle Management (ELM), IBM Engineering Workflow Management (EWM), IBM Engineering Test Management (ETM), Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG).

Please find the affected components and remediations for each affected product and version in the table below.

Version(s)Affected Product(s)Remediation (Refer to the Step number in the Remediation Section)
6.0.6Collaborative Lifecycle Management (CLM) #2  
Global Configuration Management (GCM) #2  
IBM Jazz Reporting Service (JRS) #2 #4
Rational DOORS Next Generation(RDNG) #2  
Rational Engineering Lifecycle Manager (RELM) #2  
Rational Rhapsody Model Manager (RMM) #2  
Rational Quality Manager (RQM) #2  
Rational Team Concert (RTC) #2  
6.0.6.1Collaborative Lifecycle Management (CLM) #2  
Global Configuration Management (GCM) #2  
IBM Jazz Reporting Service (JRS) #2 #4
Rational DOORS Next Generation(RDNG) #2  
Rational Engineering Lifecycle Manager (RELM) #2  
Rational Rhapsody Model Manager (RMM) #2  
Rational Quality Manager (RQM) #2  
Rational Team Concert (RTC) #2  
7.0IBM Engineering Requirements Management DOORS Next(DNG) #2  
Engineering Lifecycle Management (ELM) #2  
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) #2  
IBM Engineering Test Management (ETM) #2  
IBM Engineering Workflow Management (EWM) #2  
Global Configuration Management (GCM) #2  
IBM Jazz Reporting Service (JRS) #2  
IBM Engineering Systems Design Rhapsody - Model Manager  (RMM) #2  
7.0.1IBM Engineering Requirements Management DOORS Next(DNG) #2  
Engineering Lifecycle Management (ELM) #2#3 
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) #2  
IBM Engineering Test Management (ETM) #2  
IBM Engineering Workflow Management (EWM) #2  
Global Configuration Management (GCM) #2  
IBM Jazz Reporting Service (JRS) #2  
IBM Engineering Systems Design Rhapsody - Model Manager (RMM) #2  
7.0.2Engineering Lifecycle Management (ELM)  #3 
IBM Engineering Requirements Management DOORS Next(DNG)#1  

 

 

 

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now by taking the actions documented in this bulletin.

Note: This Bulletin Supersedes Bulletin:  https://www.ibm.com/support/pages/node/6527732

Note: If you integrate any of the IBM Jazz Team Server-based products and versions (6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2) listed above with IBM WebSphere Application Server (WAS) you will want to review the IBM WebSphere Application Server (WAS) remediation guidance.

1 - For IBM Engineering Requirements Management DOORS Next (DNG) Version 7.0.2 only. Click this Link to install iFix010 or newer. Note, if you have prior installed the log4j patch patch_Log4Shell_DNv4.zip you will need to remove it first. Follow the instructions in the iFix for steps on how to remove patches.

2 - The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured for the following products: Collaborative Lifecycle Management (CLM), Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next),  IBM Engineering Workflow Management (EWM),  IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG) versions 6.0.6, 6.0.6.1,7.0, 7.0.1 will need to be updated. Follow this Link and apply the Remediation

3 - If the Engineering Lifecycle Management (ELM) optional component mxbean-datacollection (ELMMon) has been installed for version 7.0.1 or 7.0.2 it will need to be updated. Click This link and follow the instructions to remediate.

4 - IBM Jazz Reporting Service (JRS) versions 6.0.6, 6.0.6.1 included an optional technology preview of the property graph solution (https://jazz.net/pub/new-noteworthy/jrs/6.0.6/6.0.6/index.html#1). This technology preview is impacted. The work around is to un-install both the Apache Cassandra - LQE Technology Preview and Elastic Search -LQE Technology Preview components of IBM Jazz Reporting Service. In IBM Installation Manager (IIM) modify packages to uninstall these components.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

06 Jan 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSR27Q","label":"Rational Quality Manager"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6, 6.0.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJJ9R","label":"Rational DOORS Next Generation"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6,6.0.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSRPNG","label":"Global Configuration Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMRC","label":"Rational Collaborative Lifecycle Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6-7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6,6.0.6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0,7.0.1,7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
28 January 2022

Initial Publish date:
06 January 2022

UID

ibm16540016

Page Feedback