IBM Support

Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307)

Security Bulletin


Summary

Apache Log4j is used by IBM WebSphere eXtreme Scale as part of remote logging functionality (CVE-2022-23307). The fix includes Apache Log4j v2.17.1.

Vulnerability Details

CVEID:   CVE-2022-23307
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM WebSphere Extreme Scale8.6.1.0 - 8.6.1.5

Remediation/Fixes

 

IBM strongly recommends addressing the vulnerability now.

ProductVersion(s)

APAR

Remediation/First Fix

IBM WebSphere eXtreme Scale8.6.1.0 - 8.6.1.5PH44065

For older versions, upgrade to latest fixpacks 8.6.1.4 or 8.6.1.5 and then apply the PH44065 iFix. If you are using 8.6.1.4 or 8.6.1.5 directly apply the PH44065 iFix.

 

Recommended Fixes page for WebSphere eXtreme Scale

Workarounds and Mitigations

IBM recommends addressing the vulnerability by executing the Remediation as detailed above.

 

If executing the Remediation is not possible, please review this information and take action to implement the Workaround.

  • Remote logging is disabled by default.
  • If remote logging has been enabled, disable it by referring to these pages for eXtremeScale and XSLD

 

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

25 Feb 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
22 March 2022

UID

ibm16565333

Page Feedback