PH42728 Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

Download

Downloadable File

File link	File size	File description

Abstract

Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

Download Description

View the Security Bulletin

PH42728 resolves the following problem:

ERROR DESCRIPTION:
Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

PROBLEM SUMMARY:
Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)

PROBLEM CONCLUSION:

CVE-2021-44228 was remediated.

Note for WebSphere Application Server 8.5.5 only: In this release, the UDDI.ear resolves the vulnerability by removing the JNDILookup class/function from the included copy of log4j version 2.

The fix for this APAR is currently targeted for inclusion in fix packs 8.5.5.21, 9.0.5.11.
For more information, see 'Recommended Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Note: WebSphere Application Server 7.0 and 8.0 reached End of Support on April 30, 2018 and the embedded IBM Java SDK is no longer receiving security updates. Current information is that the version of log4j included in WebSphere Application Server 7.0 and 8.0 is not impacted by CVE-2021-44228. IBM recommends all users running 7.0 and 8.0 upgrade to 8.5.5, 9.0 or WebSphere Liberty.

For advice on responding to CVE-2021-44228 for users of WebSphere Application Server traditional or Liberty, see https://www.ibm.com/support/pages/node/6525860

This fix supersedes (includes) the fix for PH37034

Important Note: This fix is superseded by: PH42762

Prerequisites

None

Installation Instructions

CRITICAL: Review the readme.txt for detailed installation instructions. This interim fix has special requirements.

URL	SIZE(Bytes)
V85 readme	2458
V90 readme	2600

Download Package

Important Note: This fix is superseded by: PH42762

IMPORTANT NOTE:	WebSphere Application Server fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.

DOWNLOAD	RELEASE DATE	SIZE(Bytes)	APPLICABLE FIX PACKS	DOWNLOAD Options What is Fix Central(FC)?
9.0.5.3-WS-WASProd-IFPH42728	12 December 2021	11345798	9.0.5.3 through 9.0.5.10	FC
8.5.5.11-WS-WASProd-IFPH42728	12 December 2021	9020471	8.5.5.11 through 8.5.5.20	FC

Problems Solved

PH42728, PH37034

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"}],"Version":"8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;8.5.5.20;9.0.5.10;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7;9.0.5.8;9.0.5.9","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PH42728, PH37034

Was this topic helpful?

Document Information

Modified date:
02 March 2022

UID

ibm16525672

Tips