Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects Engineering Lifecycle Management and IBM Engineering products

Summary

There is a high risk Remote Attack Vulnerability in Apache Log4j (CVE-2021-44228) which is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG)

Vulnerability Details

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Please find the affected components and remediations for each affected product and version in the table below.

Remediation/Fixes

Affected Components and Remediations:

1 - For IBM Engineering Requirements Management DOORS Next Version7.0.2 only. Click this Link , download the DOORS Next log4j Patch patch_Log4Shell_DNv2.zip and the readme.txt file. Follow the instructions in the readme.txt file to install the patch.

2 - The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured for the following products: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG) versions6.0.6, 6.0.6.1,7.0, 7.0.1 will need to be updated.

Find the Version corresponding to your offering, click the link and download the patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).

• 6.0.6
• 6.0.6.1
• 7.0
• 7.0.1

3 - Similarly, for IBM Engineering Systems Design Rhapsody - Design Manager (RDM) Version 6.0.6 or 6.0.6.1, The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured will need to be updated.

Click the link and download the RDM patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).

• 6.0.6
• 6.0.6.1

4 - If the Engineering Lifecycle Management (ELM) optional componentmxbean-datacollection (ELMMon) has been installed for version 7.0.1 or 7.0.2 it will need to be updated. Click This link and follow the instructions to remediate.

5 - IBM Jazz Reporting Service (JRS) versions 6.0.6/ 6.0.6.1 included an optional technology preview of the property graph solution (<https://jazz.net/pub/new-noteworthy/jrs/6.0.6/6.0.6/index.html#1&gt;). This technology preview is impacted by CVE-2021-44228. The work around is to un-install both the Apache Cassandra - LQE Technology Preview and Elastic Search -LQE Technology Preview components of IBM Jazz Reporting Service. In IBM Installation Manager (IIM) modify packages to uninstall these components.

Workarounds and Mitigations

None