IBM Support

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data (CVE-2021-44228)

Security Bulletin


Summary

Apache Log4j open source library used by IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data are affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation and Db2 Graph feature. The fix for the vulnerability is to update the log4j library. Updating log4j to a version 2.15.0 or higher also addresses CVE-2021-4104.

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Fix pack levels of IBM Db2 On Openshift V11.5 on all platforms and  IBM Db2 and Db2 Warehouse on Cloud Pak for Data 3.5 and 4.0 fix pack levels on all platforms are affected only if the following features are configured. By default these settings are not configured:

  • Db2 Graph

Federation:  

  •   DVM JDBC wrapper driver,
  •   NoSQL wrapper driver (for Hadoop),
  •   Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only

 

 

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected program: V11.5, Cloud Pak for Data 3.5, Cloud Pak for Data 4.0, can download the latest IBM Db2 On Openshift  or the IBM Db2 and Db2 Warehouse on Cloud Pak for Data fixpack release containing the fix for this issue. These builds are available based on the most recent fixpack level of the V11.5.6 release and the Cloud Pak for Data 4.0.3 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Please note: If the affected release is any fix pack level of Cloud Pak for Data 3.5, you must upgrade to Cloud Pak for Data 4.0, then apply the latest fixpack release

ReleaseFixed in Fix Pack
IBM® Db2® On Openshiftv11.5.7.0
IBM® Db2® and Db2 Warehouse® on Cloud Pak for Datav4.0.4

For more information on how to update to a fix pack, refer to the following documentation:

IBM® Db2® On Openshift: https://www.ibm.com/docs/en/db2/11.5?topic=1156-upgrading-updating

IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=upgrading

 

Workarounds and Mitigations

For the Db2 Federation feature, perform the following:

   Edit the Openshift db2uclusters resource of the affected Db2 instance(s).

            To get the db2uclusters resources, perform the following command: oc get db2uclusters

      e.g: oc edit db2uclusters db2oltp-1639595262124131

   Add the following line to the file in the registry section: DB2_JVM_STARTARGS: "-Dlog4j2.formatMsgNoLookups=true"

   Save and Exit

   Exec into the Db2 Engine pod and run the following command in a bash shell as user db2inst1:

      e.g to exec into Db2 engine pod: oc exec -it c-db2oltp-1234567890-db2u-0 bash

   Perform the following commands:

cat <<'EOF' > /db2u/tmp/apply-db2-settings.sh
#!/bin/bash

[[ -z "${BLUMETAHOME}" ]] && source /etc/profile
[[ -z ${DB2U_TMP} ]] && DB2U_TMP=/db2u/tmp

# Set OS env using the Configmap file
[[ -f ${DB2U_TMP}/os_envar_configmap ]] || \
    /db2u/scripts/update_env_from_configmap.sh --file ${DB2U_TMP}/os_envar_configmap
. ${DB2U_TMP}/os_envar_configmap

su_cmd="/bin/bash -lc"
ipclean_prefix="rah"

### Functions ###
# Returns a list of local database names
get_db_list()
{
    local db_list=($(db2 list db directory | grep -B4 -E "[ \t]+Directory.*type[ \t]+=[ \t]+Indirect$" | awk -F'=' '/^[ \t]+Database name[ \t]+=.*/ {print $2}' | sed 's/[ \t]\+//g'))

    echo "${db_list[@]}"
}

activate_multiple_dbs()
{
    local db_list=($(get_db_list))
    for db in "${db_list[@]}"; do
        db2 -v activate db ${db}
    done
}


# Update the cached copy of the Db2 CMs
${su_cmd} "source /db2u/scripts/include/db2_functions.sh && install_update_configmap_db2cfg_files && update_db2_regvar_file && apply_cfg_setting_to_db2 -all"


# Disable Wolverine HA if not restricted
[[ "X${RESTRICTED}" != "Xtrue" ]] && wvcli system disable -m "Applying db2cfg settings from all configmaps"

# Recycle Db2 to apply Db2 registry settings
${su_cmd} "db2stop force && ${ipclean_prefix} 'ipclean -a'"
${su_cmd} "db2start"

# Re-enable Wolverine HA if not restricted
[[ "X${RESTRICTED}" != "Xtrue" ]] && wvcli system enable -m "Enable HA after applying db2 cfg settings from all configmaps"

# Activate the database
activate_multiple_dbs
EOF
chmod +x /db2u/tmp/apply-db2-settings.sh
/db2u/tmp/apply-db2-settings.sh

 

 

For the Db2 Graph feature, perform the following:

     Exec into the Db2 Graph pod.

        e.g oc exec -it c-db2oltp-1603819662989-graph-5d4b8b694c-nd4jw bash

     Navigate to the  /db2graph/gremlin directory

     Edit the gremlin-server.conf file

     In the line with JAVA_OPTIONS="-Xms512m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError -DgremlinServerSandbox=conf/sandbox.yaml"  Add: -Dlog4j2.formatMsgNoLookups=true with a leading space just before the final double quote:

          i.e. JAVA_OPTIONS="-Xms512m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError -DgremlinServerSandbox=conf/sandbox.yaml -Dlog4j2.formatMsgNoLookups=true"

      Run manage restart

      Verify that the argument you provided in the gremlin-server.conf was picked up by running ps -ef | grep java and inspecting the arguments

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

20 Dec 2021: Add fix pack versions for IBM Db2 on Openshift and IBM® Db2 and Db2 Warehouse on Cloud Pak for Data
16 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCJDQ","label":"IBM Db2 Warehouse"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"v11.5.5.1, v11.5.6.0, Cloud Pak for Data 3.5, Cloud Pak for Data 4.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
21 December 2021

UID

ibm16527226

Page Feedback