Flashes (Alerts)
Abstract
I am using Business Process Manager. What is impact of CVE-2021-44228 on Business Process Manager?
Content
CVE-2021-44228 is related to a lookup feature in log4j v2. (Business Process Manager Security Bulletin).
See the notes on the known Business Process Manager, IBM Integration Designer, IBM Process Designer, Business Process Manager Enterprise Service Bus components impacted by CVE-2021-44228:
1) CVE-2021-44228 describes a vulnerability in the Apache Log4j 2.X Java library dubbed Log4Shell. Some Business Process Manager components use log4j 1.X. There is only one application that uses Log4j 2.X.
This application [IBM_BPM_KC_CI_<cluster>] is used to access IBM Documentation offline and is impacted by CVE-2021-4428. Manually uninstall the application [IBM_BPM_KC_CI_<cluster>] to remediate the impact:
From WebSphere Application Server admin console, select
Applications > Application Types > WebSphere enterprise application
And locate the application IBM_BPM_KC_CI_<cluster> to apply uninstall action.
After this change, stop the whole deployment environment then restart the deployment environment.
2) Business Process Manager custom applications
IBM Business Process Manager allows building and running custom applications on the platform. Each of these applications may bring its own vulnerable version of log4j-core-2.x with it and use it. Customers must review all their applications log4j usage.
IBM Business Process Manager allows building and running custom applications on the platform. Each of these applications may bring its own vulnerable version of log4j-core-2.x with it and use it. Customers must review all their applications log4j usage.
For Business Process Manager Advanced type of applications created with IBM Integration Designer, the app is available in the file system of the runtime server in the installedApps directory and can be reviewed there.
For Business Process Manager Standard applications created using Process Designer, the development tool can be used for review.
This Business Automation blog shares more detail on Accessing process apps for vulnerable open source.
3) For WebSphere Application Server, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) and Advice on responding to CVE-2021-44228 for additional information.
4) IBM Integration Designer and desktop Process Designer are not impacted by CVE-2021-44228
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFPJS","label":"IBM Business Process Manager"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.7;8.6.0"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMTUS","label":"IBM Business Process Manager Enterprise Service Bus"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUTM6","label":"IBM Process Designer"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTLXK","label":"IBM Integration Designer"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 September 2022
UID
ibm16525822