IBM Support

Is Business Automation Workflow affected by CVE-2021-44228?

Flashes (Alerts)


Abstract

I am using Business Automation Workflow. What is impact of CVE-2021-44228 on Business Automation Workflow?

Content

CVE-2021-44228 is related to a lookup feature in log4j v2. (Business Automation Workflow Security Bulletin).
See the notes on the known Business Automation Workflow, IBM Integration Designer, IBM Process Designer components impacted by CVE-2021-44228:
1) Process Federation Server fix is shipped in JR64456. The APAR fix is available from IBM FixCentral: 21.0.2, 20.0.0.2, 20.0.0.1, 19.0.0.3.
2) Business Automation Workflow on containers is impacted by CVE-2021-44228. To correct this issue, upgrade Business Automation Workflow on containers to v21.0.3 (upgrade information) or install 21.0.2 IF006
3) CVE-2021-44228 describes a vulnerability in the Apache Log4j 2.X Java library dubbed Log4Shell. Some Business Automation Workflow on-premise components use log4j 1.X. There is only one application that uses Log4j 2.X.
This application [IBM_BPM_KC_CI_<cluster>] is used to access IBM Documentation offline and is impacted by CVE-2021-44228. The following steps can remediate the impact:
     A) install APAR JR64096
          * If the APAR is not available for your Business Automation Workflow fix level, go to step B) 
          The application [IBM_BPM_KC_CI_<cluster>] will be removed from current and new deployment environment.
          
     B) manually uninstall the application [IBM_BPM_KC_CI_<cluster>]    
          * Complete this step if JR64096 is not available for your Business Automation Workflow environment
          * Complete this step if [IBM_BPM_KC_CI_<cluster>] is still running with JR64096 installed
         From WebSphere Application Server admin console, select 
                 Applications > Application Types > WebSphere enterprise application
        And locate the application IBM_BPM_KC_CI_<cluster> to apply uninstall action.
        After this change, stop the whole deployment environment then restart the deployment environment.
4) Business Automation Workflow custom applications
IBM Business Automation Workflow allows building and running custom applications on the platform. Each of these applications might bring its own vulnerable version of log4j-core-2.x with it and use it. Customers must review all their applications log4j usage.
For Business Automation Workflow Advanced type of applications created with IBM Integration Designer,  the app is available in the file system of the runtime server in the installedApps directory and can be reviewed there.
For Business Automation Workflow Standard applications created using Process Designer, the development tool can be used for review.
This Business Automation blog shares more detail on Assessing process apps for vulnerable open source.
6) IBM Integration Designer and desktop Process Designer are not impacted by CVE-2021-44228

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUTM6","label":"IBM Process Designer"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTLXK","label":"IBM Integration Designer"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
07 January 2022

UID

ibm16525834

Page Feedback