Security Bulletin
Summary
WebSphere Application Server (WAS) is shipped as a component of IBM Security Guardium Key Lifecycle Manager (GKLM). Information about the Apache Log4j vulnerability has been published in a security bulletin. Customers are encouraged to take quick action to update their systems.
Vulnerability Details
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
|
Principal Product and Version(s) |
Affected Supporting Product and Version(s) |
| IBM Security Key Lifecycle Manager (SKLM) v2.7** [EOS] | WebSphere Application Server v9.0.0.1 |
| IBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5 |
| IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5 |
| IBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0 |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5 |
| IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | WebSphere Application Server Liberty 21.0.0.6 |
** IBM Security Key Lifecycle Manager (SKLM) v2.7 - Applicable only for customer with extension.
Remediation/Fixes
|
IMPORTANT The fix in this bulletin has been superseded by Security Bulletin: Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager (CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832). |
IBM strongly recommends addressing the vulnerability now by upgrading.
Depending on your GKLM/SKLM version, see the relevant section:
For SKLM 3.0, 3.0.1 and SKLM 4.0
For information about the vulnerability fixes, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) .
You only need to apply the interim fix provided by the WAS team. Before you apply the interim fix, check the WAS minimum fix pack requirement and the supported WAS for your SKLM version (see Support Matrix).
For instructions, see How to install WebSphere Application Server interim fix.
Note: Also applicable for SKLM 2.7 (only for customers with extension).
Recommended: Upgrade Java
After you apply the WAS interim fix, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
For GKLM 4.1.0
- On Linux and AIX systems, log in as the database user. For example, sklmdb41.
- Stop WebSphere Application Server.
On Linux or AIX:
WAS_HOME/bin/stopServer.sh server1 -username WAS_USER -password WAS_PASSWORDFor example,
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password waspasswordOn Windows:
WAS_HOME\bin\stopServer.bat server1 -username WAS_USER -password WAS_PASSWORDFor example,
C:\Program Files\IBM\WebSphere\AppServer\bin\stopServer.bat server1 -username wasadmin -password waspassword - Apply the WebSphere Application Server interim fix provided by the WAS team. For instructions, see How to install WebSphere Application Server interim fix.
For information about the vulnerability and fixes, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) .
Note: You only need to apply the interim fix provided by the WAS team.
-
Update Log4j.
- Download the latest log4j 2.15.0 files from the following link:
- Depending on your platform, download the applicable file:
- apache-log4j-2.15.0-bin.tar.gz
- apache-log4j-2.15.0-bin.zip
- Extract the downloaded files. Copy the following extracted JAR files to some other location (for example, desktop):
- log4j-api-2.15.0.jar
- log4j-core-2.15.0.jar
- Rename the JAR files as follows:
- log4j-api-2.15.0.jar to log4j-api-2.13.3.jar
- log4j-core-2.15.0.jar to log4j-core-2.13.3.jar
Note: This is a workaround. Because of this workaround, even after you apply the fix, the grep command shows log4j-api-2.13.3.jar version in the output. However, be assured that Log4j is upgraded to log4j-api-2.15.0.jar.
- Copy the renamed Log4j JAR files to the following location:
On Linux or AIX:
WAS_HOME/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/libFor example,
/opt/IBM/WebSphere/AppServer/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/libOn Windows:
WAS_HOME\profiles\KLMProfile\installedApps\SKLMCell\sklm_kms.ear\libFor example,
C:\Program Files\IBM\WebSphere\AppServer\profiles\KLMProfile\installedApps\SKLMCell\sklm_kms.ear\lib
- Start WebSphere Application Server.
On Linux or AIX:
WAS_HOME/bin/startServer.sh server1For example,
/opt/IBM/WebSphere/AppServer/bin/startServer.sh server1On Windows:
WAS_HOME\bin\startServer.bat server1For example,
C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1
Recommended: Upgrade Java
After you apply the WAS interim fix, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
For GKLM 4.1.1
This issue is fixed in GKLM 4.1.1 - Fix Pack 2. You can download it from Fix Central.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
14 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
04 May 2022
UID
ibm16527756