Lucene search

K
ibmIBM30A0E9F889B3548B9BD0339A7DD9F4F3D51821FE906234D247C17BB05B831873
HistoryMar 16, 2022 - 3:25 a.m.

Security Bulletin: IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104, CVE-2021-45046)

2022-03-1603:25:30
www.ibm.com
92

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

Summary

Vulnerabilities in Apache Log4j (CVE-2021-4104, CVE-2021-45046) impact IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On. The fix addresses the vulnerabilities by removing Apache Log4j.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Access Manager for Enterprise Single-Sign On 8.2.0, 8.2.1, 8.2.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Principal Product and Version(s) Affected Supporting Product and Version Affected Supporting Product Security Bulletin
IBM Security Access Manager for Enterprise Single Sign-On 8.2.0 IBM WebSphere Application Server 7.0 Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)
IBM Security Access Manager for Enterprise Single Sign-On 8.2.1 IBM WebSphere Application Server 7.0, 8.5 Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 IBM WebSphere Application Server 8.5 Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)

Workarounds and Mitigations

None

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

Related for 30A0E9F889B3548B9BD0339A7DD9F4F3D51821FE906234D247C17BB05B831873