IBM Support

Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228)

Security Bulletin


Summary

Apache Log4j is used for logging in multiple components of the IBM Cloud Pak System (CPS) appliance: Logstash, VMware vCenter, IBM Hardware Management Console and product pattern type (pType). Arbitrary code execution vulnerabilities have been identified in Apache Log4j.

Vulnerability Details

CVEID:   CVE-2021-45046
DESCRIPTION:   Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Cloud Pak System Software Suite2.3.3.0
IBM Cloud Pak System2.3
IBM Cloud Pak System2.3.1.1, 2.3.2.0

Remediation/Fixes

For unsupported version/release/platform IBM recommends upgrading to a fixed, supported version of the product.

In response to vulnerability, IBM Cloud Pak System fixed releases as the following with supporting products, 

- for Logstash IBM Cloud Pak System release IBM Cloud Pak System v2.3.3.4  update plugin to Logstash v7.16.3.

- for Spectrum Scale pattern Type (pType) IBM Cloud Pak System v2.3.3.4 update pType to include Spectrum Scale 5.0.5.12. 

- for vCenter IBM Cloud Pak System release IBM Cloud Pak System v2.3.3.5 update vCenter image to vCenter 6.7 U3q.

- for Hardware Management Console (HMC) IBM Cloud Pak System release IBM Cloud Pak System v.3.3.3.7 update HMC  Power Image 8.7.0 Service Pack 3 to include Log4j 2.17.1.

- for Cloud Pak System instances found  log4jv1 (CVE-2021-4104) occurrences Cloud Pak System update instances to Log4j 2.17.1 . 

IBM strongly recommends addressing the vulnerability now.

For IBM Cloud Pak System V2.3.0 through to V2.3.3.4  upgrade to IBM Cloud Pak System V2.3.3.5 for Intel at Fix Central

 

For IBM Cloud Pak System V2.3.1.1, V2.3.2.0  upgrade to IBM Cloud Pak System V2.3.3.7 for Power which ship with  [target availability June 23, 2023] at Fix Central

Information on upgrading at : http://www.ibm.com/support/docview.wss?uid=ibm10887959

 

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

IBM PSIRT Blog

Apache Log4j

VMSA-2021-0028

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

11 Jan 2021: Initial Publication
13 Aug 2022: Update added Fix available.
                     Fix available VMWare vCenter v6.7 update for Intel with releases Cloud Pak System v2.3.3.5. 
27 Oct 2022: Updated Workaround Section. 
23 Jan 2023: Updated Remediation Section
20 Jun 2023: Updated Remediation with new Release information
                    Fix available HMC power v8 image update for Power with release Cloud Pak System v2.3.3.7.
 

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU025","label":"IBM Cloud and Cognitive Software"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.3, 2.2","Edition":""}]

Document Information

Modified date:
22 June 2023

UID

ibm16537856

Page Feedback