IBM Support

Remediation for log4j version 1 vulnerabilities in IBM Engineering Lifecycle Management

Flashes (Alerts)


Abstract

The log4j version 1 vulnerabilities (CVE-2021-4104 and related CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 etc) in IBM Engineering Lifecycle Management (ELM) is being mitigated in ELM versions 7.0.1 and 7.0.2 in Service Release 1 (SR1). Log4j version 1 is being replaced with log4j version 2.17 or later in ELM. Log4j version 1 libraries are not shipped with SR1.

Content

The log4j version 1 vulnerabilities (CVE-2021-4104 and related CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 etc) in IBM Engineering Lifecycle Management (ELM) is being mitigated in ELM versions 7.0.1 and 7.0.2 in Service Release 1 (SR1). Log4j version 1 is being replaced with log4j version 2.17 or later in ELM. Log4j version 1 libraries are not shipped with SR1.
ELM versions 6.0.6, 6.0.6.1, and 7.0.0 will reach End of Support on 31 October 2022. Customers that use those versions must upgrade to ELM 7.0.2 SR1 iFix15 to replace log4j version 1 with log4j version 2, which replace log4j version 1 with log4j version 2. Failure to do so leaves you open to vulnerabilities.
Customers who are not currently on ELM support can obtain temporary ELM 7.0.2 evaluation licenses for up to 90 days to upgrade and use the remediated version of ELM. ELM 7.0.2 licenses beyond that time require a new support agreement. Contact your ELM account manager or business parter to obtain the licenses.
Installation
The installation process for these interim fixes is different than the regular interim fix process. Installation is performed by using IBM Installation Manager and existing configuration files are copied to the new ELM installation.
  • Note the side-by-side installation does not require any database updates or reindexing.
  • Future interim fixes for ELM 7.0.1 SR1 and 7.0.2 SR1 continue to be installed the way interim fixes are traditionally deployed.
  • Future interim fixes are only compatible with ELM 7.0.1 SR1 iFix18 or ELM 7.0.2 SR1 iFix15.
  • Future interim fixes are not compatible with earlier versions of ELM. You must move to one of the SR1 releases to use future interim fixes.
Downloads
The versions of ELM that remediate the log4j v1 issue can be obtained from the normal channels:

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMRC","label":"Rational Collaborative Lifecycle Management"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.6"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSR27Q","label":"Rational Quality Manager"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJJ9R","label":"Rational DOORS Next Generation"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"ARM Category":[{"code":"a8m0z000000CbPJAA0","label":"Jazz Team Server-\u003EUpgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.6;7.0.0"}]

Document Information

Modified date:
23 August 2022

UID

ibm16607980

Page Feedback