IBM Support

Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Security Bulletin


Summary

There are multiple Apache Log4j (CVE-2021-45105, CVE-2021-45046) vulnerabilities impacting IBM InfoSphere Information Server which uses Apache Log4j for logging. The fix upgrades Apache Log4j to version 2.17.0.

Vulnerability Details

CVEID:   CVE-2021-45105
DESCRIPTION:   Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Note: Subsequently, it was determined that InfoSphere Information Server is not vulnerable to this vulnerability.

CVEID:   CVE-2021-45046
DESCRIPTION:   Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM InfoSphere Information Server, Information Server on Cloud 11.7
IBM InfoSphere Information Server, Information Server on Cloud 11.5
IBM InfoSphere Information Server 11.3

Information Server 11.5 and 11.3 are affected. Both releases are past end of service.

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product

 VRMF APAR Remediation
InfoSphere Information Server, Information Server on Cloud 11.7 JR64446 --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server version 11.7.1.3
--Apply Information Server 11.7.1.3 Service pack 2
InfoSphere Information Server, Information Server on Cloud 11.5 JR64446 --Upgrade to a fixed release
InfoSphere Information Server 11.3 JR64446 --Upgrade to a fixed release


Note:

1. You should also apply the fix for other components (WebSphere Application Server, Db2, etc.) in your environment. See the Related information section for relevant bulletins; however, it is best to check the IBM PSIRT blog for any updated information from these components.


2. Information Server saves prior versions of jar files to facilitate patch rollbacks and uninstall of components:
     a. In the Updates folder within your Information Server location, for each patch installed, a patch folder is created with the name of the patch. The patch folder contains copies of files that are replaced during the patch install. The patch folder name is based on the name of the patch which can be seen in the History section of your Version.xml. The files in this folder are used by the Update installer to roll back a patch installation; they are not needed while Information Server is used.
     b. Each time the Update Installer is updated, the jar files used by the Update Installer that are changed, are saved in a new lib.<timestamp> folder within the Updates folder.
     c. The _uninstall folder contains files that are only used while uninstalling Information Server components.

    For Apache Log4j related patches, the prior vulnerable versions of Apache Log4j could be present within such folders.
    If you want to remove such Apache Log4j files from the system, take a backup of such a folder and then purge the folder.

    An appropriate backup of the patch folder must be restored before any subsequent patch rollback attempt.
    Likewise, an appropriate backup of the files in _uninstall must be restored before any subsequent uninstall action.


3. The fix previously provided in https://www.ibm.com/support/pages/node/6527372 also fixes CVE-2021-45046.

4. Subsequently, it was determined that InfoSphere Information Server is not vulnerable to CVE-2021-45105.

5. (April 27, 2022) In some configurations (such as when the Services tier is separate), Service Pack 3 might not upgrade all files. For that situation, Service Pack 4 should be installed. You can check your Services tier to see whether any log4j jars with version older than 2.17.1 are present.

6. (October 14, 2022) Some open source components usage of log4j version 1 was addressed in Information Server 11.7.1.4.

Workarounds and Mitigations

 
CVE-2021-45105
None. However, InfoSphere Information Server is not vulnerable to this vulnerability.
 

CVE-2021-45046
Note:
    1. Even though the vulnerability can be mitigated, we strongly recommend applying the fix on top of 11.7.1.3.
    2. It is imperative that the mitigation or fix be applied as soon as possible.
Use the mitigation steps provided in the Workarounds and Mitigations section of https://www.ibm.com/support/pages/node/6527372 to mitigate this issue. You do not have to repeat the steps.

 

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

WebSphere bulletins:
    WebSphere advice and FAQ on addressing log4j vulnerabilities
    WebSphere bulletin for log4j - PH42762 (supersedes PH42728)
   
    Additional fix for Liberty: https://www.ibm.com/support/pages/node/6526824
    Additional fix for Network Deployment: https://www.ibm.com/support/pages/node/6528220

Db2 bulletins:
  Db2 V11.5 was identified to be vulnerable in some circumstances. (Reference: https://www.ibm.com/support/pages/node/6526462).
  The configuration of Db2 V11.5 used by IBM InfoSphere Information Server does not include the vulnerable configuration.

Change History

20 Jan 2022: Initial Publication
26 Jan 2022: Information Server is not vulnerable to CVE-2021-45105. Hence, mitigation is not needed.
27 Apr 2022: Complete fix is in 11.7.1.3 Service pack 4
28 April 2022: Clarified configurations that need Service pack 4
03 May 2022: Updates/backup and _uninstall/Backup folders should be purged; not the entire Updates & _uninstall folders
31 May 2022: Clarified patch folder is created in Updates location, not a folder named backup
14 Oct 2022: Some open source components usage of log4j version 1 was addressed in 11.7.1.4.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"11.7; 11.5; 11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
14 October 2022

UID

ibm16549764

Page Feedback