Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832)

Summary

An Apache Log4j (CVE-2021-44832) vulnerability impacts IBM InfoSphere Information Server which uses Apache Log4j for logging. The fix upgrades Apache Log4j to version 2.17.1.

Vulnerability Details

CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Information Server 11.5 and 11.3 are affected. Both releases are past end of service.

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product

| VRMF |APAR|Remediation
—|—|—|—
InfoSphere Information Server, InfoSphere Information Server on Cloud | 11.7 | JR64468 | --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server version 11.7.1.3
--Apply Information Server 11.7.1.3 Service pack 4

Note:

1. For Information Server 11.5 and 11.3, upgrade to a fixed release.

2. Information Server saves prior versions of jar files to facilitate patch rollbacks and uninstall of components:
a. In the Updates folder within your Information Server location, for each patch installed, a patch folder is created with the name of the patch. The patch folder contains copies of files that are replaced during the patch install. The patch folder name is based on the name of the patch which can be seen in the History section of your Version.xml. The files in this folder are used by the Update installer to roll back a patch installation; they are not needed while Information Server is used.
b. Each time the Update Installer is updated, the jar files used by the Update Installer that are changed, are saved in a new lib.<timestamp> folder within the Updates folder.
c. The _uninstall folder contains files that are only used while uninstalling Information Server components.

For Apache Log4j related patches, the prior vulnerable versions of Apache Log4j could be present within such folders.
If you want to remove such Apache Log4j files from the system, take a backup of such a folder and then purge the folder.

An appropriate backup of the patch folder must be restored before any subsequent patch rollback attempt.
Likewise, an appropriate backup of the files in _uninstall must be restored before any subsequent uninstall action.

3. (April 27, 2022) In some configurations (such as when the Services tier is separate), Service Pack 3 might not upgrade all files. For that situation, Service Pack 4 should be installed. You can check your Services tier to see whether any log4j jars with version older than 2.17.1 are present.

4. (October 14, 2022) Some open source components usage of log4j version 1 was addressed in Information Server 11.7.1.4.

Workarounds and Mitigations

None