Security Bulletin
Summary
Multiple vulnerabilities were identified within the Apache Log4j library (CVE-2021-45046, CVE-2021-45105) that is used by Netcool Operations Insight to provide logging functionality.
Vulnerability Details
CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process.
Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Affected Product(s) | Version(s) |
Netcool Operations Insight | 1.4 |
Netcool Operations Insight | 1.5 |
Netcool Operations Insight | 1.6 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerabilities now.
Please take careful inventory of components downloaded at any time and be sure to apply the remediations for any component that may have been installed whether or not it is currently in use.
To address the recent Apache Log4j vulnerabilities, all installed components must upgraded.
Redhat Openshift Platform If you are on a version between 1.4 and 1.6.2 move to IBM Netcool Operations Insight V1.6.3 on Red Hat OpenShift. Install the recommended fix v1.6.3.2 as per https://www.ibm.com/support/pages/node/6527810 The fix includes Apache Log4j 2.17.1. |
Traditional On Premise
|
| |
On Premise Component Product | IBM Netcool Operations Insight Version(s) | Remediation Steps |
IBM Netcool Agile Service Manager
|
1.4-1.6 |
This includes Apache Log4j 2.17.1. |
IBM Cognos Analytics
|
1.6 |
Please see steps for Bundled Customers in the Remediation section of Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832) This includes Apache Log4j 2.17.1. |
IBM Db2
|
1.4-1.6 |
This includes Apache Log4j 2.17.0. |
IBM Jazz for Service Management | 1.4-1.6 |
This includes Apache Log4j 2.17.0. A further update is available This includes Apache Log4j 2.17.1. |
IBM Tivoli Netcool Impact | 1.4-1.6 |
This includes Apache Log4j 2.17.0. A further update is available This includes Apache Log4j 2.17.1. |
IBM Netcool/Omnibus | 1.4-1.6 |
This includes Apache Log4j 2.17.1. |
IBM Tivoli Netcool/OMNIbus Probes and Gateways | 1.4-1.6 |
See Netcool/OMINbus Integrations Release Notice - Transport Module Common Integration Library and Netcool/OMNIbus Integrations Release Notice - Java Netcool Utility Library These include Apache Log4j 2.17.1. |
IBM Tivoli Netcool/OMNIbus Web GUI
|
1.4-1.6 |
This includes Apache Log4j 2.17.1. |
IBM Network Performance Insight
|
1.6.0-1.6.2 |
There is an interim fix available on FixCentral at (1.3.1.0-TIV-NPI-IF0005) This includes Apache Log4j 2.17.0. |
IBM Operations Analytics - Log Analysis
|
1.4-1.6 |
If Apache Log4j CVE-2021-44228 has already been addressed by executing the steps documented in the bulletin above, they do not have to be duplicated. This includes Apache Log4j 2.17.0. |
IBM Operations Analytics - Predictive Insights | 1.4-1.6 |
This includes Apache Log4j 2.17.1. |
IBM Tivoli Business Service Manager (TBSM) | 1.4-1.6 |
For IBM Tivoli Netcool Impact: This includes Apache Log4j 2.17.0. A further update is available This includes Apache Log4j 2.17.1. ________________________________________________________ For Websphere Application Server: This removes Apache Log4j from IBM Websphere Application Server. ________________________________________________________ If Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 have already been addressed by executing the steps documented in the bulletins above relating to those components, they do not have to be duplicated. |
IBM Tivoli Netcool Configuration Manager | 1.4-1.6 |
For Websphere Application Server: This removes Apache Log4j from IBM Websphere Application Server. ________________________________________________________ If Apache Log4j CVE-2021-45105 and CVE-2021-44832 have already been addressed by executing the steps documented in the bulletin above relating to the component, they do not have to be duplicated. |
IBM Tivoli Network Manager IP Edition | 1.4-1.6 |
See Interim Fix 4.2.0.14-TIV-ITNMIP-LinuxAll-IF1 and follow instructions in ReadMe to remediate. This includes Apache Log4j 2.17.1.
|
IBM WebSphere Application Server | 1.4-1.6 |
This removes Apache Log4j from IBM Websphere Application Server. |
Workarounds and Mitigations
Redhat Openshift Platform
None.
Traditional On Premise
None except as described in the individual on premise component security bulletins in the Remediation/Fixes table above.
Get Notified about Future Security Bulletins
References
Change History
17 Jan 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
09 February 2022
UID
ibm16554808