6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.025 Low
EPSS
Percentile
89.7%
Apache Log4j is used by IBM Sterling Connect:Direct for Microsoft Windows as part of its logging infrastructure. There are vulnerabilities in the Apache Log4j open source library versions used by IBM Sterling Connect:Direct for Microsoft Windows. Based on current information and analysis, IBM Sterling Connect:Direct for Microsoft Windows is not impacted by CVE-2021-44832. However, out of an abundance of caution, IBM Sterling Connect:Direct for Microsoft Windows has upgraded Log4j to 2.17.1.
CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Sterling Connect:Direct for Microsoft Windows | 4.8.0.3 - 4.8.0.3_iFix041 |
IBM Sterling Connect Direct for Microsoft Windows | 6.0.0.3 - 6.0.0.4_iFix047 |
IBM Sterling Connect:Direct for Microsoft Windows | 6.1.0.1 - 6.1.0.2_iFix035 |
IBM Sterling Connect:Direct for Microsoft Windows | 6.2.0.0 - 6.2.0.2_iFix012 |
IBM recommends addressing the possible vulnerability now by upgrading.
Affected Product(s) | Version(s) | APAR | Remediation / First Fix |
---|---|---|---|
IBM Sterling Connect:Direct for Microsoft Windows |
4.8
| IT39949| Apply 4.8.0.3_iFix042, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows|
6.0
| IT39949| Apply 6.0.0.4_iFix048, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows|
6.1
| IT39949| Apply 6.1.0.2_iFix036, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows|
6.2
| IT39949| Apply 6.2.0.2_iFix013, available on Fix Central
For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.
None
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.025 Low
EPSS
Percentile
89.7%