IBM Support

Security Bulletin: Apache Log4j vulnerability affects IBM Business Automation Workflow (CVE-2021-44228)

Security Bulletin


Summary

Process Federation Server (PFS), shipped with IBM Business Automation Workflow (BAW), is vulnerable to a vulnerability caused by log4j. The vulnerability is included in the ElasticSearch client library used by PFS. The ElasticSearch vulnerable library was also shipped in offline documentation. The vulnerable library has already been removed with a prior security bulletin (linked from the Remediation/Fixes section).

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Business Automation WorkflowV21.0
V20.0
V19.0
V18.0.0.0.2

Earlier versions of IBM Business Automation Workflow and of IBM Business Process Manager are affected indirectly through WebSphere Application Server (see link to WebSphere Application Server bulletin in Remediation/Fixes section). If the vulnerable version of Log4j was added or used in custom applications, those customer applications may be affected.

Remediation/Fixes

Please follow this IBM PSIRT blog post to keep up to date with additional information on this vulnerability and how it relates to your IBM products.

 

IBM strongly recommends applying the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64456  as soon as practical:

 

If you are using IBM Business Automation Workflow V18.0, V19.0, V20.0, and V21.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR64456
        --OR--
· Apply cumulative fix IBM Business Automation Workflow V21.0.3 or later

 

If you are using IBM Business Automation Workflow on Containers, apply cumulative fix IBM Business Automation Workflow V21.0.2-IF006 or later

Note that fixes for various versions may become available over time. Upgrading Process Federation Server generally does not require migration. If you are on a version of Process Federation Server using ElasticSearch V7, you can seamlessly upgrade to 21.0.2 to apply the patch. 
If you are on a version of Process Server that uses ElasticSearch 6, you can seamlessly upgrade to Process Federation Server V20.0.0.1 and apply the patch.

Another vulnerable copy of the Log4j library was shipped with offline documentation. If you have not already done so, remove offline documentation as advised in Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation.

As an additional protection, we recommend setting a Java system property for your Process Federation Server (or User Management Server) in jvm.options:

Add -Dlog4j2.formatMsgNoLookups=true to jvm.options as described in https://www.ibm.com/docs/en/was-liberty/core?topic=manually-customizing-liberty-environment. Alternatively, you can set an environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. This setting can help mitigate risks in code (including custom code like a TAI) using a version of log4j >=2.10.

 

IBM Business Automation Workflow builds on top of IBM WebSphere Application Server 8.5.5. You must ensure to follow Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) to patch the underlying application server platform.

 

IBM Business Automation Workflow allows customers to build apps on top of the platform. These apps may bring their own (vulnerable) copy of log4j-core-2.x and may use it from custom Java code. It is important to review and fix all vulnerable use of log4j-core-2.x in your custom apps.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

17 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6, 8.5.7.CF201706, 8.5.7.CF201703, 8.5.7.CF201612, 8.5.7.CF201609, 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2,21.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6, 8.5.7.CF201706, 8.5.7.CF201703, 8.5.7.CF201612, 8.5.7.CF201609, 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6, 8.5.7.CF201706, 8.5.7.CF201703, 8.5.7.CF201612, 8.5.7.CF201609, 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 December 2021

UID

ibm16527768

Page Feedback