Security Bulletin
Summary
There is a vulnerability in the Apache Log4j open source library. The library is used by Elasticsearch, a dependency of IBM Cloud Private, for logging messages to files. This bulletin identifies the security fixes to apply to address the Log4Shell vulnerability (CVE-2021-45046).
Vulnerability Details
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Affected Product(s) | Version(s) |
IBM Cloud Private | 3.1.0 |
IBM Cloud Private | 3.1.1 |
IBM Cloud Private | 3.1.2 |
IBM Cloud Private | 3.2.0 |
IBM Cloud Private | 3.2.1 CD |
IBM Cloud Private | 3.2.2 CD |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
The recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:
For IBM Cloud Private 3.1.0: IBM Cloud Private 3.1.0 Patch
For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch
For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch
For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch
For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch
For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch
For IBM Cloud Private 3.1.0:
- Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1 and 3.2.2
The ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This release upgrades the Log4j package to 2.17.0, which remediates the log4j vulnerabilities and should not trigger false positives in vulnerability scanners as was the case with Elasticsearch 6.8.21.
Elasticsearch announcement (ESA-2021-31)
Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.0, 3.1.1, 3.1.2, and 3.2.0
Elasticsearch and Logstash within ibm-icplogging component have been updated to remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class from the log4j-core package. Some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, the mitigation sufficiently protects both remote code execution and information leakage.
Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation
Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation
Acknowledgement
Change History
21 Dec 2021: Initial Publication
22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0
18 Jan 2022: Add patch link for 3.1.0
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
27 January 2022
UID
ibm16529452