Security Bulletin: TADDM is vulnerable to a denial of service vulnerability in Apache-Log4j (CVE-2023-26464)

Summary

Apache-Log4j version 1 is used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2023-26464.

Vulnerability Details

CVEID:CVE-2023-26464
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by a flaw when using the Chainsaw or SocketAppender components. By sending a specially crafted hashmap or hashtable, a remote attacker could exploit this vulnerability to exhaust available memory in the virtual machine, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249785 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

TADDM FixPack 7.3.0.10 has been released with Apache log4j v2.17.2. Please upgrade to 7.3.0.10 to resolve all known log4j vulnerabilities at the date of release.

For TADDM 7.3.0.0 - 7.3.0.5, Please upgrade to TADDM newer version of FixPack between 7.3.0.6 to 7.3.0.9 (preferably 7.3.0.9) and then upgrade to TADDM FixPack 7.3.0.10.

For TADDM 7.3.0.6 - 7.3.0.9, Please upgrade to TADDM FixPack 7.3.0.10.

Please refer to the table below to download TADDM FixPack 7.3.0.10.

Please refer to the URL for TADDM FixPack 7.3.0.10 Release Notes containing more information about the update.

<https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp10&gt;

Workarounds and Mitigations

None