Security Bulletin
Summary
There is a high risk Remote Attack Vulnerability in Apache Log4j (CVE-2021-44228) which is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG)
Vulnerability Details
CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system.
Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Please find the affected components and remediations for each affected product and version in the table below.
Version(s) | Affected Product(s) | Components and Remediations | ||||
6.0.6 | Collaborative Lifecycle Management (CLM) | #2 | ||||
Global Configuration Management (GCM) | #2 | |||||
IBM Jazz Reporting Service (JRS) | #2 | #5 | ||||
Rational DOORS Next Generation(RDNG) | #2 | |||||
Rational Engineering Lifecycle Manager (RELM) | #2 | |||||
Rational Rhapsody Design Manager (RDM) | #3 | |||||
Rational Rhapsody Model Manager (RMM) | #2 | |||||
Rational Quality Manager (RQM) | #2 | |||||
Rational Team Concert (RTC) | #2 | |||||
6.0.6.1 | Collaborative Lifecycle Management (CLM) | #2 | ||||
Global Configuration Management (GCM) | #2 | |||||
IBM Jazz Reporting Service (JRS) | #2 | #5 | ||||
Rational DOORS Next Generation(RDNG) | #2 | |||||
Rational Engineering Lifecycle Manager (RELM) | #2 | |||||
Rational Rhapsody Design Manager (RDM) | #3 | |||||
Rational Rhapsody Model Manager (RMM) | #2 | |||||
Rational Quality Manager (RQM) | #2 | |||||
Rational Team Concert (RTC) | #2 | |||||
7.0 | IBM Engineering Requirements Management DOORS Next(DNG) | #2 | ||||
Engineering Lifecycle Management (ELM) | #2 | |||||
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) | #2 | |||||
IBM Engineering Test Management (ETM) | #2 | |||||
IBM Engineering Workflow Management (EWM) | #2 | |||||
Global Configuration Management (GCM) | #2 | |||||
IBM Jazz Reporting Service (JRS) | #2 | |||||
IBM Engineering Systems Design Rhapsody - Model Manager (RMM) | #2 | |||||
7.0.1 | IBM Engineering Requirements Management DOORS Next(DNG) | #2 | ||||
Engineering Lifecycle Management (ELM) | #2 | #4 | ||||
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) | #2 | |||||
IBM Engineering Test Management (ETM) | #2 | |||||
IBM Engineering Workflow Management (EWM) | #2 | |||||
Global Configuration Management (GCM) | #2 | |||||
IBM Jazz Reporting Service (JRS) | #2 | |||||
IBM Engineering Systems Design Rhapsody - Model Manager (RMM) | #2 | |||||
7.0.2 | Engineering Lifecycle Management (ELM) | #4 | ||||
IBM Engineering Requirements Management DOORS Next(DNG) | #1 |
Remediation/Fixes
Affected Components and Remediations:
1 - For IBM Engineering Requirements Management DOORS Next Version 7.0.2 only. Click this Link , download the DOORS Next log4j Patch patch_Log4Shell_DNv2.zip and the readme.txt file. Follow the instructions in the readme.txt file to install the patch.
2 - The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured for the following products: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG) versions 6.0.6, 6.0.6.1,7.0, 7.0.1 will need to be updated.
Find the Version corresponding to your offering, click the link and download the patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).
3 - Similarly, for IBM Engineering Systems Design Rhapsody - Design Manager (RDM) Version 6.0.6 or 6.0.6.1, The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured will need to be updated.
Click the link and download the RDM patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).
4 - If the Engineering Lifecycle Management (ELM) optional component mxbean-datacollection (ELMMon) has been installed for version 7.0.1 or 7.0.2 it will need to be updated. Click This link and follow the instructions to remediate.
5 - IBM Jazz Reporting Service (JRS) versions 6.0.6/ 6.0.6.1 included an optional technology preview of the property graph solution (https://jazz.net/pub/new-noteworthy/jrs/6.0.6/6.0.6/index.html#1). This technology preview is impacted by CVE-2021-44228. The work around is to un-install both the Apache Cassandra - LQE Technology Preview and Elastic Search -LQE Technology Preview components of IBM Jazz Reporting Service. In IBM Installation Manager (IIM) modify packages to uninstall these components.
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
15 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
11 January 2022
UID
ibm16527732