IBM Support

Security Bulletin: Vulnerability in Apache Log4j affects IBM Netcool Performance Manager

Security Bulletin


Summary

Apache-Log4j - CVE-2021-4104, Apache-Log4j - CVE-2022-23302, Apache-Log4j - CVE-2022-23305, Apache-Log4j - CVE-2022-23307

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)Version(s)
TNPM1.4.x

Remediation/Fixes

Below are the CVE Details -

# Apache-Log4j - CVE-2021-4104 :
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint.

# Apache-Log4j - CVE-2022-23302 :
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.

# Apache-Log4j - CVE-2022-23305 :
A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.

# Apache-Log4j - CVE-2022-23307 :
A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.

These are the mitigation steps for the above mentioned issues :

  • Comment out or remove JMSAppender, JMSSink, JDBCAppender in the Log4j configuration if it is used. There can be other log4j.xml files if configured additionally on customer's environment apart from below mentioned xmls.[Here $WMCROOT=/appl/virtuo (Virtuo Directory)]
    1. $WMCROOT/as/server/default/conf/log4j.xml
    2. $WMCROOT/conf/logging/cli/log4j.xml
  • Remove the JMSAppender, JMSSink, JDBCAppender class and Chainsaw classes from the classpath.
    1. Take backup of below used log4j jars
    2. Stop all the application services - as, asd, alarmcache, nccache and loader instances (as these components could be using log4j)
    3. Execute the following command -
      1. zip -q -d log4j*.jar org/apache/log4j/net/JMSAppender.class 
      2. zip -q -d log4j*.jar org/apache/log4j/net/JMSSink.class 
      3. zip -q -d log4j*.jar org/apache/log4j/jdbc/JDBCAppender.class 
      4. zip -q -d log4j*.jar org/apache/log4j/chainsaw/*  
    4. JMSAppender.class, JMSSink.class, JDBCAppender.class and Chainsaw classes can be found in following locations - [Here $WMCROOT=/appl/virtuo (Virtuo Directory)]
      1. $WMCROOT/as/client/log4j.jar
      2. $WMCROOT/as/lib/log4j-boot.jar
      3. $WMCROOT/as/server/default/lib/log4j.jar
      4. $WMCROOT/lib/tp/log4j.jar
    5. Start all the services which were stopped in step #2
  • Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.

Workarounds and Mitigations

For an external (e.g. internet facing) attacker to exploit the aforementioned vulnerabilities is likely to have less possibility as as the application is deployed on local servers.

Vulnerability components/classes mentioned previously are not enabled by default, are not used in our application, and can be disabled. So the attack vector is greatly reduced as it depends on an attacker having to write access to compromise the configuration. Additionally, the application admin can change user permissions of respective files and restrict users.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

https://access.redhat.com/security/cve/CVE-2021-4104

https://access.redhat.com/security/cve/cve-2022-23302

https://access.redhat.com/security/cve/cve-2022-23305

https://access.redhat.com/security/cve/cve-2022-23307

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Below are the log4j versions used in TNPM and current versions of dependencies -

TNPM Core and jBoss ==> log4j1.x (Mitigation given above)

Dependencies:

  • Oracle 11g ==> log4j1.x 
  • Oracle 12c ==> log4j1.x 
  • Oracle 19c ==> log4j2.x (Ref Link - Link)
  • Cognose 10.2.2 ==> log4j1.x
  • Cognose 11 ==> log4j2.x (Mitigation - Link)
  • SDS (IBM DB2) ==>log4j1.x

Acknowledgement

Change History

20 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKGHX","label":"Tivoli Netcool Performance Manager for Wireless"},"Component":"Tivoli Netcool Performance Manager for Wireless","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF016","label":"Linux"}],"Version":"1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

More support for:
Tivoli Netcool Performance Manager for Wireless

Software version:
1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4

Operating system(s):
AIX, Solaris, Linux

Document number:
6538352

Modified date:
19 March 2022

UID

ibm16538352

Manage My Notification Subscriptions

Page Feedback