Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This bulletin covers the vulnerability caused when using versions of log4j earlier than 2.0. This version of the library is used by the ECM (Text Search) feature . CVE-2021-44228 is addressing a critical vulnerability in 2.0 <= log4j <= 2.15.0 covered in a separate security bulletin. Please see CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for bulletins relating to Log4j V2.
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
The ECM (Text Search Server) feature in all fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 for all server editions on all platforms are affected.
IBM Db2 V10.1 and V9.7 are not affected.
In the V11.1 release, the Hadoop federation wrapper is also impacted.
Customers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP6, V11.5.6, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.
For ECM (Text Search Server)
|Release||Fixed in fix pack||APAR||Download URL|
|V10.5||TBD||IT39390||Special Build for V10.5 FP11:
|V11.1||TBD||IT39387||Special Build for V11.1.4 FP6:|
|V11.5||TBD||IT39389||Special Build for V11.5.6:
Note: The 11.5.6 special builds here are the same ones supplied for resolving CVE-2021-44228
|V11.5||TBD||IT39389||Special Build for V11.5.7:
Note: The 11.5.7 special builds here are the same ones supplied for resolving CVE-2021-44228
If you are using Db2 Text Search with rich text filters, after these special builds are applied, you will be required to upgrade your version of rich text filters in addition to Db2 Text search. Appropriate rich text filters (in this case version 8.5.5) for each Db2 release can be downloaded from the Db2 accessories suite page.
For details, see here.
For Install (Installation Manager)
We recommend that you download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).
It was determined through further investigation that while Installation Manager was found to not be impacted by CVE-2021-4104, as the Installation Manager does not use log4j in a manner that exposes the vulnerability, it does include the older version of the library.
For v11.1.x, install the Db2 fix listed in the table above for Linux 32-bit, Linux 63-bit, Windows 32-bit and/or Windows 64-bit. This fix replaces the existing log4j jar file with an empty jar file. While the vulnerability is mitigated with this fix, a scan will still show the existence of the jar file. Alternatively you may download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).
For earlier versions, we recommend that you download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).
Workarounds and Mitigations
For ECM (Text Search):
The vulnerable jar can be patched to mitigate the vulnerability.
Note: Do not issue START/STOP Db2 text search server if Db2 text search is not configured.
On Linux and Unix:
Stop the TextSearch server: "db2ts stop for text".
Remove the JMSAppender.class file via two options:
Here is the command:
zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
If you do not have access to 'zip', you can also use the 'jar' command.
#assume log4j-1.2.17.jar exists in current directory mkdir tmp cd tmp jar xvf ../log4j-1.2.17.jar rm org/apache/log4j/net/JMSAppender.class jar cvf ../log4j-1.2.17-patched.jar . cd .. rm log4j-1.2.17.jar ln -s log4j-1.2.17-patched.jar log4j-1.2.17.jar rm -rf tmp
Start the TextSearch server: "db2ts start for text".
On Windows the Java jar tool with CMD can be used to follow the similar Unix instructions when using jar.
Stop the TextSearch server: "db2ts stop for text" in the Db2 command line. Start the Windows CMD program and go to the SQLLIB\db2tss\lib directory which is found in the installation path e.g. "cd C:\ProgramFiles\IBM\SQLLIB\db2tss\lib" Make a copy of the log4j-1.2.17.jar file e.g. "cp log4j-1.2.17.jar log4j-1.2.17.jar.bak" Make a new directory e.g. "mkdir tmp" Change to the new directory e.g. "cd tmp" Extract the jar file using the jar program found in the JDK that is in the SQLLIB\java path e.g. "..\..\..\java\jdk\bin\jar xvf ..\log4j-1.2.17.jar" Delete the JMSAppender.class file e.g. "del org\apache\log4j\net\JMSAppender.class" Package the files back into the jar e.g. "..\..\..\java\jdk\bin\jar xvf ..\log4j-1.2.17-patched.jar ." Replace the log4j-1.2.17.jar with log4j-1.2.17-patched.jar. e.g. "cd ..", "del log4j-1.2.17.jar", "ren log4j-1.2.17-patched.jar log4j-1.2.17.jar". Cleanup the "tmp" folder. Start the TextSearch server: "db2ts start for text" in the Db2 command line.
For version 11.1 on linux and unix platforms only (not on Windows), the log4j-1.2.17.jar file under "/opt/IBM/db2/V11.1/federation/restservice/hadoop" in the Db2 installation location may be safely removed.
Subsequent installation of fixpacks may result in the error:
ERROR: Some error occurred while moving files during backup or restore to directory, "/opt/IBM/db2/<version>/.backup". The return code is "4394967295".
To resolve this apply the fixpack with the -f nobackup flag.
This file does not exist on Db2 versions prior to 11.1
Get Notified about Future Security Bulletins
06 June 2022: Added mitigation to remove log4j from hadoop wrapper on linux/unix and links to other related Log4j bulletins
31 Jan 2022: Added 10.5 links for Windows 64-bit and Windows 32-bit fix packs.
31 Dec 2021: Added 10.5 links for AIX 64-bit, Linux 32-bit and Linux 64-bit fix packs.
29 Dec 2021: Added 220.127.116.11 links for Windows 32-bit and Solaris 64-bit fix packs
28 Dec 2021: Updated ECM Text Search section to reflect that: text search server should not be stopped or started if the customer is not using text search, and added the instructions to copy the patched jar in place of the original.24 Dec 2021: Removed Install section as impacted as further investigation determined that Installation Manager was not affected by this vulnerability, thus Db2 is not vulnerable from that dependency. Added 18.104.22.168 link for Windows 64-bit fix pack
22 Dec 2021: Added 10.5 link for Inspur. Clarified server and client impact for each issue
21 Dec 2021: Added 11.5.6 links for Windows 32-bit and Windows 64-bit fix packs. Added 11.5.7 links for Windows 32-bit and Windows 64-bit fix packs
21 Dec 2021: Updated note that the 11.5.6 builds are the same as the one for CVE-2021-44228. Updated description of Db2 Text Search update.
20 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Was this topic helpful?
07 June 2022