IBM Support

Security Bulletin: Sterling Order Management and vulnerability in Apache Log4j2 Library (CVE-2021-44228)

News


Abstract

Is Sterling Order Management affected by CVE-2021-44228?

Content

IBM is aware of a recently surfaced vulnerability CVE-2021-44228 in Apache log4j 2.0 to 2.14.1 and determined that some of Sterling Order Management components are impacted. Following is a summary of impacted OMS Components and associated mitigation plan.
Components
Current log4j Version
Impacted by CVE-2021-44228 ?
Immediate Mitigation Plan
Latest Status
Sterling Order Management SaaS, On-prem and Certified Containers (including Store Engagement & Call Center)
v1.x
No (The previous version in use was not impacted)
Upgraded to v2.17.1 on Mar 31st, 2022 (both SaaS and On-prem)
Sterling Order Management SaaS:  Upgraded to v2.17.1 as part of 22.1 Minor Update 1

Sterling Order Management On-prem: Upgraded to v.2.17.1 as part of Fix Pack 30
Inventory Visibility
Microservice 
v2.14.0 
Yes
Upgraded to v2.15.0 on Dec 13th, 2021
Upgraded to v2.17.0 on Jan 13th, 2022.
Promising
Microservice
v2.13.3
Yes
Upgraded to v2.15.0 on Dec 13th, 2021
Upgraded to v2.17.0 on Jan 13th, 2022.
OMS Data Exchange Service
v2.11.1
Yes
Upgraded to v2.15.0 on Dec 13th, 2021
Upgraded to v2.17.0 on Jan 12th, 2022.
Store Inventory Management
Microservice
v2.13.1
Yes
Upgraded to v2.15.0 on Dec 14th, 2021
Upgraded to v2.17.0 on Jan 12th, 2022.
Order Hub
v2.13.1
Yes
Upgraded to v2.15.0 on Dec 14th, 2021
Upgraded to v2.17.0 on Jan 13th, 2022.
Sterling Fulfillment Optimizer ( SFO)
v2.14.0
Yes
Upgraded to v2.15.0 on Dec 14th, 2021
Upgraded to v2.17.0 on Jan 13th, 2022.
CPQ: Omni- Configurator and VM
v2.14.0 (v10)
v1.x (v9.5)
v10 - Yes
v9.5 - No
Upgraded to v2.15.0 as part of VMOC FP23 released on Dec 15th, 2021.
Upgraded to v2.17.0 as part of VMOC FP24 released on Jan 7th, 2022.
CPQ: Field Sales Application
v1.x
No (The current version in use is not impacted)
NA
As a part of the standard stack upkeep policy, IBM will upgrade the log4j version to v2.17.0 (or higher) by 1H 2022.
NOTE: The latest Fix Pack will be required to obtain this upgrade.
Note:
1. For any underlying software/middleware used in your implementation, please work with the respective vendors to understand the impact and next steps.
2. Log4j v2.15 sets log4j2.formatMsgNoLookups to true by default and thereby resolves CVE-2021-44228 completely.
Log4j has released version v2.16, which contains 2 additional improvements on top of v2.15 changes.
      (1) disables JNDI by default
      (2) removes support for Lookups in messages. 

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PEW","label":"Sterling Order Management"},"ARM Category":[{"code":"a8m0z000000cy00AAA","label":"Orders"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
23 May 2022

UID

ibm16525544

Page Feedback