Newsletters
Abstract
IBM AI Applications conducted an audit of all products, platforms, and services to identify exposures to the Apache Log4J 2 Remote Code Execution vulnerability - Log4Shell (CVE-2021-44228).
Content
IBM AI Applications conducted an audit of all products, platforms, and services to identify exposures to the Apache Log4J 2 Remote Code Execution vulnerability - Log4Shell (CVE-2021-44228).
IMPACTED PRODUCTS
After review, IBM AI Applications established that CVE-2021-44228 potentially impacted the following applications, below are the associated mitigation plans:
- Maximo Asset Monitor SaaS: upgraded from Log4J 2.14.1 to 2.17.
- Maximo Application Suite:
- Monitor is affected. See Interim fix available for CVE-2021-44228 for MAS Monitor 8.4, 8.5 and 8.6
- Maximo Asset Configuration Manager (ACM) and Maximo for Aviation are affected. See Security Bulletin: A security vulnerability has been identified in Apache Log4j (CVE-2021-44228) in IBM Maximo Asset Configuration Manager and IBM Maximo for Aviation
- Maximo Scheduler Optimization 7.6.8 is affected. See Security Bulletin: A security vulnerability has been identified in Apache log4j versions 2.0 beta 9 - 2.14 (CVE-2021-44228) in IBM Maximo Scheduler Optimization
- Maximo Asset Configuration Manager (ACM) 7.6.7.x and Maximo for Aviation 7.6.8.x and later are affected. See Security Bulletin: A security vulnerability has been identified in Apache Log4j (CVE-2021-44228) in IBM Maximo Asset Configuration Manager and IBM Maximo for Aviation
- Order Management Service (OMS) SaaS microservices has upgraded from version 2.13.x+ to 2.15. This update was completed on 14 December 2021. Order Management Core SaaS and On-premises customers are not impacted by this vulnerability. Find complete information here.
- Supply Chain Intelligence Suite upgraded Log4J 2.x versions to 2.15. This update was completed as of 14 December 2021.
- Environmental Intelligence Suite upgraded Log4J 2.x versions to 2.15. This update was completed as of 14 December 2021.
- TRIRIGA Indoor Maps fix in process.
After review, it has been established that CVE-2021-44228 does not impact:
- Maximo EAM SaaS (versions 7.6.& 7.6.1.x)
- Manage (all versions). However, Manage component patch 8.3.1 includes log4j remediation, updating log4j in Manage to log4j2.17.1.
NON-IMPACTED PRODUCTS
- Maximo for Civil Infrastructure comes with MaxLoader (not MXLoader) for data loading. One of the components in MaxLoader uses two jars from log4j. The component’s developer has assured us that these jar files cannot be exploited by the methods described in the CVEs listed in the first paragraph of this document.
- TRIRIGA Platform 3.5.3 (SaaS Only), 3.6.0, 3.6.1, 3.7, 3.8, 4.0
- TRIRIGA Assistant, Building Insights, Connector for BIM, CAD Integrator, Capital Project Hub, Reporting
References:
- For more information regarding IBM's response to this vulnerability, please refer to the IBM PSIRT blog. This blog is updated with Product Security Bulletins.
- WebSphere Application Server
Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)
Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046). The fix PH42762 removes Log4j from the WebSphere admin console.
PH42759:Block class loads for vulnerable classes - Cognos Analytics
Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)
Updates
5 Jan 2022 Added Maximo for Civil Infrastructure to non-impacted products
5 Jan 2022 Added Maximo for Civil Infrastructure to non-impacted products
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"ARM Category":[{"code":"a8m0z000000cvcNAAQ","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6.1"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRHPA","label":"IBM Maximo Application Suite"},"ARM Category":[{"code":"a8m3p000000hB0QAAU","label":"Maximo Manage"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.2.0;8.6.0"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PEW","label":"Sterling Order Management"},"ARM Category":[{"code":"a8m0z000000cy01AAA","label":"Performance"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"ARM Category":[{"code":"a8m0z000000bqueAAA","label":"Application"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQNGE","label":"IBM TRIRIGA Indoor Maps"},"ARM Category":[{"code":"a8m0z000000bqueAAA","label":"Application"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSS9AV2","label":"IBM Supply Chain Intelligence Suite"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRQLT","label":"IBM Environmental Intelligence Suite"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
06 April 2022
UID
ibm16526270