IBM Support

Is IBM Content Manager (CM 8) impacted by the log4J security vulnerabilities, including CVE-2021-44228 (Log4Shell)?

Question & Answer


Question

Is IBM Content Manager (CM 8) impacted by the log4J security vulnerabilities, including CVE-2021-44228 (Log4Shell)?

Answer

IBM Content Manager (CM 8) is not affected by, or vulnerable to Apache Log4j vulnerabilities. 

The vulnerability described in CVE-2021-44228 is found in versions of log4j 2 prior to version 2.16.  IBM Content Manager (CM 8) version 8.6 and earlier only uses log4j 1.x, so the vulnerability does not apply to these versions of CM 8.  This is true for both IBM Content Manager Enterprise Edition and IBM Content Manager for z/OS.

CM 8 version 8.7 shipped in May of 2022.  This version of CM 8 uses log4j 2 by default.  Version 2.17.1 of log4j is shipped in this version of CM.  Log4j 2.17.1 addresses all known CVEs at the time of its shipment.  So, CM 8.7 is not vulnerable for CVE-2021-44228.

Note that an instance of log4j-core-2.11.0.jar was inadvertently packaged with CM 8.6 Specific Web Services.  This jar file is not used by CM 8 and may be deleted from the web services deployment in WebSphere Application Server.  This file will only be seen if Web Services are installed and deployed.

The log4j 2.x  issues described in CVE-2021-45046 and CVE-2021-45105  also do not apply to CM 8 version 8.6 and earlier.  These issues are only in log4j 2.x.  These also do not apply to CM 8 version 8.7, as they have been addressed in the version of log4j 2 that is included in CM 8 version 8.7.

There have been less severe issues reported with log4j 1.x.  The related issues are documented in the CVEs below.  CM 8 version 8.6 and older does use Log4j 1.x.   However, it is not vulnerable to these CVEs for the reasons listed below. 

  • CVE-2022-23307 only applied if the Log4j chainsaw component is used.  CM 8 does not use chainsaw.

  • CVE-2022-23305 only applies if a Log4j JDBCAppender is configured.  CM 8 does not configure a Log4j JDBCAppender.

  • CVE-2022-23302 only applies if JMSSink is deployed and Log4j is configured to perform JNDI requests.  CM 8 does not deploy JMSSink and does not configure Log4j JNDI.

  • CVE-2021-4104 only applies if a Log4j JMSAppender is configured.  CM 8 does not configure a Log4j JMSAppender.

  • CVE-2020-9488 only applies if a Log4j SMTPAappender is configured.  CM 8 does not configure and SMTPAppender.
  • CVE-2019-17571 only applies if a Log4j SocketServer is configured and the Log4j SocketServer process to be started. CM 8 does neither of these.
Note that it is NOT possible to substitute and replace an existing Log4j version 1.2.17 with Log4j version 2.x.  Log4j version 2.x is not backward compatible with version 1.x.
For an IBM perspective on this vulnerability, review the information from IBM at:

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRS7Z","label":"IBM Content Manager Enterprise Edition"},"ARM Category":[{"code":"a8m0z0000001jkqAAA","label":"Content Manager-\u003ECM8 EE"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6.0;8.7.0"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLQWS","label":"Content Manager for z\/OS"},"ARM Category":[{"code":"a8m0z0000001jkvAAA","label":"Content Manager-\u003ECM8 for z\/OS"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"8.6.0;8.7.0"}]

Document Information

Modified date:
17 June 2022

UID

ibm16525854

Page Feedback