Lucene search

K
ibmIBM0E8555641D8CDA8EC9035ED3EB5F648F408D4DF211176B6798C8D8C65318F3F5
HistoryFeb 08, 2022 - 10:56 p.m.

Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571)

2022-02-0822:56:04
www.ibm.com
60

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.794 High

EPSS

Percentile

98.3%

Summary

There is a vulnerability in the Apache Log4j open source library (CVE-2019-17571) used by IBM OpenPages with Watson. This affects the IBM OpenPages logging framework. The remediation fix includes Apache Log4j v2.17.

Vulnerability Details

CVEID:CVE-2019-17571
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM OpenPages with Watson versions 8.1 through 8.2.0.3

Remediation/Fixes

Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:

Product Remediation

For IBM OpenPages with Watson 8.1or8.1.0.1

- Upgrade to 8.1.0.2 Fix Pack

- Apply 8.1.0.2 Interim Fix 2 (8.1.0.2.2) or later

|

IBM strongly recommends upgrading to IBM OpenPages with Watson** 8.2.0.4**

- Apply 8.2.0.4 Interim Fix 2 (8.2.0.4.2) or later

For IBM OpenPages with Watson8.1.0.2

- Apply 8.1.0.2 Interim Fix 2 (8.1.0.2.2) or later

|

IBM strongly recommends upgrading to IBM OpenPages with Watson** 8.2.0.4**

- Apply 8.2.0.4 Interim Fix 2 (8.2.0.4.2) or later

For IBM OpenPages with Watson8.2,8.2.0.1, 8.2.0.2 or 8.2.0.3

- Upgrade to 8.2.0.4 Fix Pack

- Apply 8.2.0.4 Interim Fix 2 (8.2.0.4.2) or later

|

<https://www.ibm.com/support/pages/openpages-watson-82-fix-pack-4&gt;

<https://www.ibm.com/support/pages/openpages-watson-8204-interim-fix-2&gt;

Workarounds and Mitigations

If you are unable to upgrade to the latest version of IBM OpenPages for Watson, IBM recommends applying the below mitigation now.

Product Mitigation

For IBM OpenPages with Watson 8.1or8.1.0.1

- Upgrade to 8.1.0.2 Fix Pack

- Apply 8.1.0.2 Interim Fix 2 (8.1.0.2.2) or later

|

<https://www.ibm.com/support/pages/openpages-watson-81-fix-pack-2&gt;

<https://www.ibm.com/support/pages/openpages-watson-8102-interim-fix-2&gt;

For IBM OpenPages with Watson8.1.0.2

- Apply 8.1.0.2 Interim Fix 2 (8.1.0.2.2) or later

|

<https://www.ibm.com/support/pages/openpages-watson-8102-interim-fix-2&gt;

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.794 High

EPSS

Percentile

98.3%