Is IBM Content Manager OnDemand (CMOD) Version 10.5 impacted by the log4j security vulnerabilities related to CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105?

IBM Content Manager OnDemand (CMOD) Version 10.5.0.4 uses log4j 2.17.1 and therefore is not impacted.

IBM Content Manager OnDemand (CMOD) Versions 10.5.0.0, 10.5.0.1, 10.5.0.2, and 10.5.0.3 use log4j 2.13.0 and therefore are impacted.

In IBM Content Manager OnDemand Version 10.5, the following components use log4j 2.x: Full Text Search Exporter, Content Manager OnDemand REST Services and the Content Manager OnDemand Web Enablement Kit.

There are two options to remediate log4j vulnerabilities in IBM Content Manager OnDemand (CMOD) Versions 10.5.0.0, 10.5.0.1, 10.5.0.2, and 10.5.0.3:

Option 1: Apply the latest fix pack

Apply the latest IBM Content Manager OnDemand (CMOD) fix pack, which is Version 10.5.0.4 or later. Upgrading to Version 10.5.0.4 or later is the recommended method for log4j remediation.

Option 2: Apply the latest security updates

To upgrade log4j 2.x for Content Manager OnDemand Version 10.5, perform the following:
1.    Go to https://logging.apache.org/log4j/2.x/download.html and download the most recent version.
2.    Extract the downloaded file. You should have a folder with several files, for example, log4j-api-2.17.1.jar and log4j-core-2.17.1.jar
3.    Remove log4j-api-2.13.0.jar and log4j-core-2.13.0.jar from the <OnDemand Install Dir>/jars directory.
4.    Copy log4j-api-2.17.1.jar and log4j-core-2.17.1.jar into the <OnDemand Install Dir>/jars directory.
5.    Be sure to adjust your CLASSPATH and/or shared libraries to reference the new jar files. See below.

NOTE: Step 6 is only for the Content Manager OnDemand REST Services. You will need to remove the log4j jars from the cmod-rest.war file.

6.    Because WAR files are based on ZIP, you can use any zip utility to edit them.

For example, on AIX/Linux you can use the zip command line utility to remove the log4j jar files from the war file. 

Navigate to the <OnDemand Install Dir>/www/rest directory and run the following two commands:
zip -d cmod-rest.war "WEB-INF/lib/log4j-api-2.13.0.jar"
zip –d cmod-rest.war "WEB-INF/lib/log4j-core-2.13.0.jar"

You can now re-deploy the cmod-rest.war file and reference the new version of log4j via the CLASSPATH reference. See below. Follow the instructions in the IBM Content Manager OnDemand REST Services Implementation Guide for updating the CLASSPATH in your application server.

Regardless of whether you choose Option 1 or Option 2: After updating to the latest open source libraries, be sure to update your Java execution environment to point to the updated jar files. For example, if your Java execution environment is:

• an application server (such as WebSphere Application Server (WAS)), update shared library references and/or the CLASSPATH setting.
• a command line application, update the CLASSPATH setting.