IBM Support

Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)

Security Bulletin


Summary

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305). This affects the logging infrastructure in IBM App Connect Enterprise and IBM Integration Bus. The fix includes Apache Log4j v2.17.1.

Vulnerability Details

CVEID:   CVE-2022-23305
DESCRIPTION:   Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2022-23307
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-23302
DESCRIPTION:   Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
   IBM App Connect Enterprise      V12.0.1.0 to V12.0.3.0
   IBM App Connect Enterprise

   V11.0.0.0 to V11.0.0.15

   Also affects IBM App Connect Enterprise Toolkit   

   V11.0.0.0 to V11.0.0.16

   IBM Integration Bus   V10.0.0.6 to V10.0.0.25

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by the applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise.

In addition, apply the appropriate remediation to IBM Integration Bus Toolkit/IBM App Connect Enterprise Toolkit.


Note: This supersedes APARs IT39377 and IT39458

Product(s)
 
 
Version(s)
APAR
Remediation / Fix and Instructions
IBM App Connect Enterprise
V12.0.1.0 to V12.0.3.0IT39515

Interim APAR fix for Windows is available from

12.0.3.0 IBM Fix Central

12.0.2.0 IBM Fix Central

12.0.1.0 IBM Fix Central

 

Interim APAR fix for the following platforms is available from IBM Fix Central

  • Linux x86-64
  • AIX
  • Linux on System z
  • Linux on Power Little Endian

 

IBM App Connect Enterprise
V11.0.0.0- V11.0.0.15IT39515

Interim fix for APAR is available  for v11.0.0.10-11.0.0.15 from

IBM Fix Central

IBM Integration Bus
V10.0.0.6 to V10.0.0.25IT39515

Interim fix for APAR is available for 10.0.0.25 from

IBM Fix Central

 
 
Remediation to the IBM Integration Toolkit V10 and IBM App Connect Enterprise Toolkit V11, V12

Delete the following file:
$MQSI_FILEPATH/tools/plugins/org.apache.log4j_<version>.v<datestamp>.jar

Where version is a 3 digit log4j version number and <datestamp> is the build date of the plugin.

  • For example: org.apache.log4j_1.2.15.v201012070815.jar

    Note that after applying this remediation it is not possible to install new patterns in the pattern explorer or install new features / software using the eclipse "Install Software or Update" dialog boxes.

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

10 Feb 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Component":"-","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}],"Version":"-","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
01 April 2022

Initial Publish date:
10 February 2022

UID

ibm16568731

Page Feedback