Apache-Log4j version 1 is used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2023-26464.
CVEID:CVE-2023-26464
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by a flaw when using the Chainsaw or SocketAppender components. By sending a specially crafted hashmap or hashtable, a remote attacker could exploit this vulnerability to exhaust available memory in the virtual machine, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249785 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0-7.3.0.9 |
TADDM FixPack 7.3.0.10 has been released with Apache log4j v2.17.2. Please upgrade to 7.3.0.10 to resolve all known log4j vulnerabilities at the date of release.
For TADDM 7.3.0.0 - 7.3.0.5, Please upgrade to TADDM newer version of FixPack between 7.3.0.6 to 7.3.0.9 (preferably 7.3.0.9) and then upgrade to TADDM FixPack 7.3.0.10.
For TADDM 7.3.0.6 - 7.3.0.9, Please upgrade to TADDM FixPack 7.3.0.10.
Please refer to the table below to download TADDM FixPack 7.3.0.10.
Fix | How to acquire fix |
---|---|
7.3-TIV-ITADDM-FP00010 | Download FixPack |
Please refer to the URL for TADDM FixPack 7.3.0.10 Release Notes containing more information about the update.
<https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp10>
None