APAR status
Closed as program error.
Error description
The Apache Log4j component used in IBM Transformation Extender (ITX) version 10.0.3, 10.1.0 and 10.1.1 for Event Reporter component in the product suite is currently at the 2.11.1 version. This version is vulnerable to the security issue CVE-2021-44228 and it should be remediated with 2.15.0 version or mitigated with the setting of environment variable, LOG4J_FORMAT_MSG_NO_LOOKUPS=true in all execution environments.
Local fix
ITXCQ - ITX00061149 PB / LV Circumvention: If not using Event Reporter feature, remove <tx_install>\eventreporter\log4j-api-2.11.1.jar file.
Problem summary
Users Affected: IBM Transformation Extender users using Delivery-Affected Component Event Reporter, Flow Dashboard users. Problem Description: ITX usage of log4j and vulnerability CVE-2021-44228 Platforms Affected: All
Problem conclusion
Critical Security vulnerability, CVE-2021-44228, with Log4j 2.0 to 2.14.1 versions has been addressed by upgrading to 2.15.0 as advised by Apache Log4j in the components included with the product distributions. Applies to: 10.0.3.0, 10.1.0.1, 10.1.1.0 Fixed in the next service packs and releases. To obtain the fix for this APAR: To see if the next service pack or product release is available, check the IBM Transformation Extender Release Notes page: https://www.ibm.com/support/docview.wss?uid=swg27008337 If the service pack or product release is available, download it from Fix Central: http://www.ibm.com/support/fixcentral/ If the service pack or product release is not available and you require the APAR fix immediately, request a Limited Availability Interim Fix (LAIF) by opening a case: https://www.ibm.com/mysupport/ Prior to version 9.0.0, IBM Transformation Extender was called IBM WebSphere Transformation Extender.
Temporary fix
Comments
APAR Information
APAR number
PH42789
Reported component name
ITX
Reported component ID
5724Q2300
Reported release
A10
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-12-14
Closed date
2022-05-26
Last modified date
2022-06-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
ITX
Fixed component ID
5724Q2300
Applicable component levels
[{"Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVSD8","label":"Transformation Extender"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A10"}]
Document Information
Modified date:
18 June 2022