IBM Watson Knowledge Catalog in Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) and is used for logging. Customers are encouraged to take quick action to update their systems to Apache Log4j 2.15.0.
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Watson Knowledge Catalog in Cloud Pak for Data |
4.0 (all previous refreshes)
3.5.7 and previous refreshes
IBM strongly recommends addressing the vulnerability now by upgrading.
Install Watson Knowledge Catalog 4.0.4 (Refresh 4) or above: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=new-watson-knowledge-catalog>
Install Watson Knowledge Catalog 3.5.8 (Refresh 11) or above: <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=new-watson-knowledge-catalog>
None