IBM Support

IBM QRadar SIEM and Apache log4j version 1 usage

News


Abstract

IBM QRadar SIEM currently depends on the Apache log4j 1 library for application logging from QRadar services. The Apache log4j 1 library is also used for QRadar internal log sources, such as audit log events for self-monitoring and system health metrics.

Content

Change list

  • 20 May 2022 (10:00 AM EDT): Modified the technical note to reflect the current release schedule for QRadar Upgrade Packs.
  • 9 September 2022 (10:00 AM EDT): Modified the technical note to reflect the release of QRadar 7.5.0 Update Package 3.
  • There are currently five known CVEs which impact log4j 1. IBM QRadar SIEM does not use any of the affected modules as currently delivered.
    • CVE-2019-17571 - QRadar does not use the affected socket server.
    • CVE-2020-9488 - QRadar does not use the SMTP appender.
    • CVE-2022-23302 - QRadar does not use JMS appender.
    • CVE-2022-23305 - QRadar does not write to DB using JDBC appender.
    • CVE-2022-23307 - QRadar does not use the Chainsaw GUI.
  • In a future release, an Upgrade Pack (UP) is planned to update log4j to the latest supported version.
    • 7.5.0 Update Pack 3 released on 6 September 2022.
    • 7.4.3 Fix Pack 7 targeted release for September 2022.
    • 7.3.3 Fix Pack 12, no updates planned. Administrators can apply an upgrade to a QRadar 7.4.x or 7.5.x version mentioned in this technical note. QRadar 7.3.x versions are officially end of life on 30 September 2022. 

Environment

  • IBM QRadar SIEM 7.5
  • IBM QRadar SIEM 7.4.3
  • IBM QRadar SIEM 7.3.3

For more information about IBM QRadar SIEM product security, see https://www.ibm.com/blogs/psirt/.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtjAAA","label":"Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtjAAA","label":"Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 September 2022

UID

ibm16561889

Page Feedback