Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105)

Security Bulletin

Summary

Multiple vulnerabilities were identified within the Apache Log4j library (CVE-2021-45046, CVE-2021-45105) that is used by Netcool Operations Insight to provide logging functionality.

Vulnerability Details

CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Netcool Operations Insight	1.4
Netcool Operations Insight	1.5
Netcool Operations Insight	1.6

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now.

Please take careful inventory of components downloaded at any time and be sure to apply the remediations for any component that may have been installed whether or not it is currently in use.

To address the recent Apache Log4j vulnerabilities, all installed components must upgraded.

Redhat Openshift Platform If you are on a version between 1.4 and 1.6.2 move to IBM Netcool Operations Insight V1.6.3 on Red Hat OpenShift. https://www.ibm.com/support/knowledgecenter/en/SSTPTP_1.6.3/com.ibm.netcool_ops.doc/soc/integration/task/soc_int_upgrade_cloud.html Install the recommended fix v1.6.3.2 as per https://www.ibm.com/support/pages/node/6527810 The fix includes Apache Log4j 2.17.1.

Traditional On Premise
On Premise Component Product	IBM Netcool Operations Insight Version(s)	Remediation Steps
IBM Netcool Agile Service Manager	1.4-1.6	See Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) This includes Apache Log4j 2.17.1.
IBM Cognos Analytics	1.6	Please see steps for Bundled Customers in the Remediation section of Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832) This includes Apache Log4j 2.17.1.
IBM Db2	1.4-1.6	See Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) This includes Apache Log4j 2.17.0.
IBM Jazz for Service Management	1.4-1.6	See Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) This includes Apache Log4j 2.17.0. A further update is available See Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability (CVE-2021-44832) This includes Apache Log4j 2.17.1.
IBM Tivoli Netcool Impact	1.4-1.6	See Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) This includes Apache Log4j 2.17.0. A further update is available See Security Bulletin: A vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-44832) This includes Apache Log4j 2.17.1.
IBM Netcool/Omnibus	1.4-1.6	See Security Bulletin: Tivoli Netcool/Omnibus installation contains vulnerable Apache Log4j code (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) This includes Apache Log4j 2.17.1.
IBM Tivoli Netcool/OMNIbus Probes and Gateways	1.4-1.6	See Netcool/OMINbus Integrations Release Notice - Transport Module Common Integration Library and Netcool/OMNIbus Integrations Release Notice - Java Netcool Utility Library These include Apache Log4j 2.17.1.
IBM Tivoli Netcool/OMNIbus Web GUI	1.4-1.6	See Security Bulletin: IBM Tivoli Netcool/OMNIbus Web GUI is vulnerable to multiple Apache Log4j vulnerabilities (CVE-2021-45046,CVE-2021-45105) This includes Apache Log4j 2.17.1.
IBM Network Performance Insight	1.6.0-1.6.2	There is an interim fix available on FixCentral at (1.3.1.0-TIV-NPI-IF0005) This includes Apache Log4j 2.17.0.
IBM Operations Analytics - Log Analysis	1.4-1.6	See Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2021-44228) If Apache Log4j CVE-2021-44228 has already been addressed by executing the steps documented in the bulletin above, they do not have to be duplicated. This includes Apache Log4j 2.17.0.
IBM Operations Analytics - Predictive Insights	1.4-1.6	See Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights This includes Apache Log4j 2.17.1.
IBM Tivoli Business Service Manager (TBSM)	1.4-1.6	For IBM Tivoli Netcool Impact: See Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) This includes Apache Log4j 2.17.0. A further update is available See Security Bulletin: A vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-44832) This includes Apache Log4j 2.17.1. ________________________________________________________ For Websphere Application Server: See Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832) This removes Apache Log4j from IBM Websphere Application Server. ________________________________________________________ If Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 have already been addressed by executing the steps documented in the bulletins above relating to those components, they do not have to be duplicated.
IBM Tivoli Netcool Configuration Manager	1.4-1.6	For Websphere Application Server: See Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832) This removes Apache Log4j from IBM Websphere Application Server. ________________________________________________________ If Apache Log4j CVE-2021-45105 and CVE-2021-44832 have already been addressed by executing the steps documented in the bulletin above relating to the component, they do not have to be duplicated.
IBM Tivoli Network Manager IP Edition	1.4-1.6	See Interim Fix 4.2.0.14-TIV-ITNMIP-LinuxAll-IF1 and follow instructions in ReadMe to remediate. This includes Apache Log4j 2.17.1.
IBM WebSphere Application Server	1.4-1.6	See Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832) This removes Apache Log4j from IBM Websphere Application Server.

Workarounds and Mitigations

Redhat Openshift Platform

None.

Traditional On Premise

None except as described in the individual on premise component security bulletins in the Remediation/Fixes table above.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

17 Jan 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTPTP","label":"Netcool Operations Insight"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.6.3.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105)