10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
There is a high risk Remote Attack Vulnerability in Apache Log4j (CVE-2021-44228) which is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG)
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Please find the affected components and remediations for each affected product and version in the table below.
Version(s) | Affected Product(s) | Components and Remediations |
---|---|---|
6.0.6 | Collaborative Lifecycle Management (CLM) | |
Global Configuration Management (GCM) | #2 | |
IBM Jazz Reporting Service (JRS) | #2 | |
Rational DOORS Next Generation(RDNG) | #2 | |
Rational Engineering Lifecycle Manager (RELM) | #2 | |
Rational Rhapsody Design Manager (RDM) | ||
Rational Rhapsody Model Manager (RMM) | #2 | |
Rational Quality Manager (RQM) | #2 | |
Rational Team Concert (RTC) | #2 | |
6.0.6.1 | Collaborative Lifecycle Management (CLM) | |
Global Configuration Management (GCM) | #2 | |
IBM Jazz Reporting Service (JRS) | #2 | |
Rational DOORS Next Generation(RDNG) | #2 | |
Rational Engineering Lifecycle Manager (RELM) | #2 | |
Rational Rhapsody Design Manager (RDM) | ||
Rational Rhapsody Model Manager (RMM) | #2 | |
Rational Quality Manager (RQM) | #2 | |
Rational Team Concert (RTC) | #2 | |
7.0 | IBM Engineering Requirements Management DOORS Next(DNG) | |
Engineering Lifecycle Management (ELM) | #2 | |
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) | #2 | |
IBM Engineering Test Management (ETM) | #2 | |
IBM Engineering Workflow Management (EWM) | #2 | |
Global Configuration Management (GCM) | #2 | |
IBM Jazz Reporting Service (JRS) | #2 | |
IBM Engineering Systems Design Rhapsody - Model Manager (RMM) | #2 | |
7.0.1 | IBM Engineering Requirements Management DOORS Next(DNG) | |
Engineering Lifecycle Management (ELM) | #2 | |
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI) | #2 | |
IBM Engineering Test Management (ETM) | #2 | |
IBM Engineering Workflow Management (EWM) | #2 | |
Global Configuration Management (GCM) | #2 | |
IBM Jazz Reporting Service (JRS) | #2 | |
IBM Engineering Systems Design Rhapsody - Model Manager (RMM) | #2 | |
7.0.2 | Engineering Lifecycle Management (ELM) | |
IBM Engineering Requirements Management DOORS Next(DNG) | #1 |
Affected Components and Remediations:
1 - For IBM Engineering Requirements Management DOORS Next Version7.0.2 only. Click this Link , download the DOORS Next log4j Patch patch_Log4Shell_DNv2.zip and the readme.txt file. Follow the instructions in the readme.txt file to install the patch.
2 - The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured for the following products: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG) versions6.0.6, 6.0.6.1,7.0, 7.0.1 will need to be updated.
Find the Version corresponding to your offering, click the link and download the patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).
3 - Similarly, for IBM Engineering Systems Design Rhapsody - Design Manager (RDM) Version 6.0.6 or 6.0.6.1, The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured will need to be updated.
Click the link and download the RDM patch and readme.txt. Follow the instructions in the readme.txt file to Update the Knowledge Center (KC).
4 - If the Engineering Lifecycle Management (ELM) optional componentmxbean-datacollection (ELMMon) has been installed for version 7.0.1 or 7.0.2 it will need to be updated. Click This link and follow the instructions to remediate.
5 - IBM Jazz Reporting Service (JRS) versions 6.0.6/ 6.0.6.1 included an optional technology preview of the property graph solution (<https://jazz.net/pub/new-noteworthy/jrs/6.0.6/6.0.6/index.html#1>). This technology preview is impacted by CVE-2021-44228. The work around is to un-install both the Apache Cassandra - LQE Technology Preview and Elastic Search -LQE Technology Preview components of IBM Jazz Reporting Service. In IBM Installation Manager (IIM) modify packages to uninstall these components.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%