Security Bulletin
Summary
Apache Log4j open source library used by IBM® Db2® Warehouse is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature.
Vulnerability Details
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Fix pack levels of IBM Db2 Warehouse V11.5 on all platforms are affected only if the following features are configured:
Federation:
- DVM JDBC wrapper driver,
- NoSQL wrapper driver (for Hadoop),
- Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only)
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the fix for this issue. These special builds are available based on the most recent fixpack level for the V11.5.6 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.
Release | Fixed in Fix Pack |
v11.5.6.0 |
v11.5.6.0-cn2-db2wh-linux
v11.5.6.0-cn2-db2wh-ppcle
v11.5.6.0-cn2-db2wh-s390x
|
For information about how to update, see the following topics:
https://www.ibm.com/docs/en/db2-warehouse?topic=warehouse-updating-db2
https://www.ibm.com/docs/en/db2-warehouse?topic=container-updating-client-linux
https://www.ibm.com/docs/en/db2-warehouse?topic=planning-containers
Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability now.
To disable Log4j for the Db2 Federation feature, perform the following:
As root, perform the following commands:
wvcli system disable -m "update db2set"
su - dsadm -c "/opt/ibm/dsserver/bin/stop.sh"
As db2inst1, perform the following commands:
db2 force applications all
db2 deactivate db bludb
db2stop force
rah 'ipclean -a'
db2set DB2_JVM_STARTARGS="-Dlog4j2.formatMsgNoLookups=true"
db2start
db2 activate db bludb
As root, perform the following commands:
su - dsadm -c "/opt/ibm/dsserver/bin/start.sh"
wvcli system enable -m "update db2set"
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
14 Jan 2022: Updated version affected to include all versions of Db2 Warehouse v11.5
17 Dec 2021: Added fix pack docker image tags for 11.5.6.0-cn2 special builds on Linux 64-bit System z®, System z9® or zSeries®, Linux 64-bit, Linux 64-bit POWER™ little endian
16 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
14 January 2022
UID
ibm16527322