Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832)

Note:

1. For Information Server 11.5 and 11.3, upgrade to a fixed release.

2. Information Server saves prior versions of jar files to facilitate patch rollbacks and uninstall of components:
     a. In the Updates folder within your Information Server location, for each patch installed, a patch folder is created with the name of the patch. The patch folder contains copies of files that are replaced during the patch install. The patch folder name is based on the name of the patch which can be seen in the History section of your Version.xml. The files in this folder are used by the Update installer to roll back a patch installation; they are not needed while Information Server is used.
     b. Each time the Update Installer is updated, the jar files used by the Update Installer that are changed, are saved in a new lib.<timestamp> folder within the Updates folder.
     c. The _uninstall folder contains files that are only used while uninstalling Information Server components.

    For Apache Log4j related patches, the prior vulnerable versions of Apache Log4j could be present within such folders.
    If you want to remove such Apache Log4j files from the system, take a backup of such a folder and then purge the folder.

    An appropriate backup of the patch folder must be restored before any subsequent patch rollback attempt.
    Likewise, an appropriate backup of the files in _uninstall must be restored before any subsequent uninstall action.

3. (April 27, 2022) In some configurations (such as when the Services tier is separate), Service Pack 3 might not upgrade all files. For that situation, Service Pack 4 should be installed. You can check your Services tier to see whether any log4j jars with version older than 2.17.1 are present.

4. (October 14, 2022) Some open source components usage of log4j version 1 was addressed in Information Server 11.7.1.4.