Security Bulletin
Summary
Apache Log4j is used by IBM Telco Network Cloud Manager - Performance for logging and is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305). The fix includes Apache Log4j v2.17.1.
Vulnerability Details
CVEID: CVE-2021-44832
DESCRIPTION: Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-23305
DESCRIPTION: Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-23302
DESCRIPTION: Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Telco Network Cloud Manager - Performance (TNCP) | TNC-P 1.4 |
| IBM Telco Network Cloud Manager - Performance (TNCP) | TNC-P 1.4.1 |
| IBM Telco Network Cloud Manager - Performance (TNCP) | TNC-P 1.3 |
| IBM Telco Network Cloud Manager - Performance (TNCP) | TNC-P 1.2 |
Remediation/Fixes
For IBM Telco Network Cloud Manager - Performance 1.4.1:
Please download fix from http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Telco+Network+Cloud+Manager+-+Performance&fixids=1.4.1.TIV-TNCP-IF002&source=SAR
For more information about applying the fix, go to IBM Documentation : https://www.ibm.com/docs/en/tncm-p/1.4.1?topic=configuring-installing
For IBM Telco Network Cloud Manager - Performance 1.4 , 1.3 and 1.2:
If you have one of the listed affected versions, it is strongly recommended that you apply the most recent security update to UI service:
Apply the following updated UI service image by navigating into tncp product namespace -> statefulset -> ui
- If the product is deployed on Openshift env then use following image => cp.icr.io/cp/tncp/basecamp-ui:2.4.1.0-166-d77181da@sha256:910ecb867298b343184bcc129c847695c4db3e8196241d52af2ba6c034d012e0
- If the product is deployed on Kubernetes environment then use following image : docker.io/persistentsystems/basecamp-ui:2.4.1.0-166-d77181da@sha256:910ecb867298b343184bcc129c847695c4db3e8196241d52af2ba6c034d012e0
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
01 Jun 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
01 June 2022
UID
ibm16591351