Security Bulletin
Summary
Apache Log4j is used for logging in multiple components of the IBM Cloud Pak System (CPS) appliance: Logstash, VMware vCenter, IBM Hardware Management Console and product pattern type (pType). Arbitrary code execution vulnerabilities have been identified in Apache Log4j.
Vulnerability Details
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Affected Product(s) | Version(s) |
IBM Cloud Pak System Software Suite | 2.3.3.0 |
IBM Cloud Pak System | 2.3 |
IBM Cloud Pak System | 2.3.1.1, 2.3.2.0 |
Remediation/Fixes
For unsupported version/release/platform IBM recommends upgrading to a fixed, supported version of the product.
In response to vulnerability, IBM Cloud Pak System fixed releases as the following with supporting products,
- for Logstash IBM Cloud Pak System release IBM Cloud Pak System v2.3.3.4 update plugin to Logstash v7.16.3.
- for Spectrum Scale pattern Type (pType) IBM Cloud Pak System v2.3.3.4 update pType to include Spectrum Scale 5.0.5.12.
- for vCenter IBM Cloud Pak System release IBM Cloud Pak System v2.3.3.5 update vCenter image to vCenter 6.7 U3q.
- for Hardware Management Console (HMC) IBM Cloud Pak System release IBM Cloud Pak System v.3.3.3.7 update HMC Power Image 8.7.0 Service Pack 3 to include Log4j 2.17.1.
- for Cloud Pak System instances found log4jv1 (CVE-2021-4104) occurrences Cloud Pak System update instances to Log4j 2.17.1 .
IBM strongly recommends addressing the vulnerability now.
For IBM Cloud Pak System V2.3.0 through to V2.3.3.4 upgrade to IBM Cloud Pak System V2.3.3.5 for Intel at Fix Central
For IBM Cloud Pak System V2.3.1.1, V2.3.2.0 upgrade to IBM Cloud Pak System V2.3.3.7 for Power which ship with [target availability June 23, 2023] at Fix Central
Information on upgrading at : http://www.ibm.com/support/docview.wss?uid=ibm10887959
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
11 Jan 2021: Initial Publication
13 Aug 2022: Update added Fix available.
Fix available VMWare vCenter v6.7 update for Intel with releases Cloud Pak System v2.3.3.5.
27 Oct 2022: Updated Workaround Section.
23 Jan 2023: Updated Remediation Section
20 Jun 2023: Updated Remediation with new Release information
Fix available HMC power v8 image update for Power with release Cloud Pak System v2.3.3.7.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 June 2023
UID
ibm16537856