IBM Support

Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects Engineering Lifecycle Management and IBM Engineering products

Security Bulletin


Summary

There is a high risk Remote Attack Vulnerability in Apache Log4j (CVE-2021-44228) which is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG)

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Please find the affected components and remediations for each affected product and version in the table below.

Version(s)Affected Product(s)Components and Remediations
6.0.6Collaborative Lifecycle Management (CLM) #2   
Global Configuration Management (GCM) #2   
IBM Jazz Reporting Service (JRS) #2  #5
Rational DOORS Next Generation(RDNG) #2   
Rational Engineering Lifecycle Manager (RELM) #2   
Rational Rhapsody Design Manager (RDM)  #3  
Rational Rhapsody Model Manager (RMM) #2   
Rational Quality Manager (RQM) #2   
Rational Team Concert (RTC) #2   
6.0.6.1Collaborative Lifecycle Management (CLM) #2   
Global Configuration Management (GCM) #2   
IBM Jazz Reporting Service (JRS) #2  #5
Rational DOORS Next Generation(RDNG) #2   
Rational Engineering Lifecycle Manager (RELM) #2   
Rational Rhapsody Design Manager (RDM)  #3  
Rational Rhapsody Model Manager (RMM) #2   
Rational Quality Manager (RQM) #2   
Rational Team Concert (RTC) #2   
7.0IBM Engineering Requirements Management DOORS Next(DNG) #2   
Engineering Lifecycle Management (ELM) #2   
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) #2   
IBM Engineering Test Management (ETM) #2   
IBM Engineering Workflow Management (EWM) #2   
Global Configuration Management (GCM) #2   
IBM Jazz Reporting Service (JRS) #2   
IBM Engineering Systems Design Rhapsody - Model Manager  (RMM) #2   
7.0.1IBM Engineering Requirements Management DOORS Next(DNG) #2   
Engineering Lifecycle Management (ELM) #2 #4 
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) #2   
IBM Engineering Test Management (ETM) #2   
IBM Engineering Workflow Management (EWM) #2   
Global Configuration Management (GCM) #2   
IBM Jazz Reporting Service (JRS) #2   
IBM Engineering Systems Design Rhapsody - Model Manager (RMM) #2   
7.0.2Engineering Lifecycle Management (ELM)   #4 
IBM Engineering Requirements Management DOORS Next(DNG)#1    

Remediation/Fixes

Affected Components and Remediations:

1 - For IBM Engineering Requirements Management DOORS Next Version 7.0.2 only. Click this Link , download the DOORS Next log4j Patch patch_Log4Shell_DNv2.zip and the readme.txt file. Follow the instructions in the readme.txt file to install the patch.

 

2 - The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured for the following products: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next),  IBM Engineering Workflow Management (EWM),  IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG) versions 6.0.6, 6.0.6.1,7.0, 7.0.1 will need to be updated.

Find the Version corresponding to your offering, click the link and download the patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).

 

3 - Similarly, for IBM Engineering Systems Design Rhapsody - Design Manager (RDM) Version 6.0.6 or 6.0.6.1, The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured will need to be updated.

Click the link and download the RDM patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).

 

4 - If the Engineering Lifecycle Management (ELM) optional component mxbean-datacollection (ELMMon) has been installed for version 7.0.1 or 7.0.2 it will need to be updated. Click This link and follow the instructions to remediate.

 

5 - IBM Jazz Reporting Service (JRS) versions 6.0.6/ 6.0.6.1 included an optional technology preview of the property graph solution (https://jazz.net/pub/new-noteworthy/jrs/6.0.6/6.0.6/index.html#1). This technology preview is impacted by CVE-2021-44228. The work around is to un-install both the Apache Cassandra - LQE Technology Preview and Elastic Search -LQE Technology Preview components of IBM Jazz Reporting Service. In IBM Installation Manager (IIM) modify packages to uninstall these components.

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

15 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSR27Q","label":"Rational Quality Manager"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6, 6.0.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSRPNG","label":"Global Configuration Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMRC","label":"Rational Collaborative Lifecycle Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6-7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6,6.0.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJJ9R","label":"Rational DOORS Next Generation"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"6.0.6,6.0.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"7.0,7.0.1,7.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
11 January 2022

UID

ibm16527732