IBM30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490ESecurity Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) and IBM Security Guardium Key Lifecycle Manager
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Summary
WebSphere Application Server (WAS) is shipped as a component of IBM Security Guardium Key Lifecycle Manager (GKLM). Information about the Apache Log4j vulnerability has been published in a security bulletin. Customers are encouraged to take quick action to update their systems.
Vulnerability Details
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Principal Product and Version(s)
|
Affected Supporting Product and Version(s)
—|—
IBM Security Key Lifecycle Manager (SKLM) v2.7** [EOS] | WebSphere Application Server v9.0.0.1
IBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5
IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5
IBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | WebSphere Application Server Liberty 21.0.0.6
****** IBM Security Key Lifecycle Manager (SKLM) v2.7 - Applicable only for customer with extension.
Remediation/Fixes
IMPORTANT
The fix in this bulletin has been superseded by Security Bulletin: Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager (CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832).
IBM strongly recommends addressing the vulnerability now by upgrading.
Depending on your GKLM/SKLM version, see the relevant section:
- For SKLM 3.0, 3.0.1 and SKLM 4.0
- For GKLM 4.1
- For GKLM 4.1.1
For SKLM 3.0, 3.0.1 and SKLM 4.0
For information about the vulnerability fixes, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) .
You only need to apply the interim fix provided by the WAS team. Before you apply the interim fix, check the WAS minimum fix pack requirement and the supported WAS for your SKLM version (see Support Matrix).
For instructions, see How to install WebSphere Application Server interim fix.
Note: Also applicable for SKLM 2.7 (only for customers with extension).
** Recommended: Upgrade Java**
After you apply the WAS interim fix, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
For GKLM 4.1.0
- On Linux and AIX systems, log in as the database user. For example, sklmdb41.
- Stop WebSphere Application Server.
On Linux or AIX:
WAS_HOME/bin/stopServer.sh server1 -username WAS_USER -password WAS_PASSWORD
For example,
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password waspassword
On Windows:
WAS_HOME\bin\stopServer.bat server1 -username WAS_USER -password WAS_PASSWORD
For example,
C:\Program Files\IBM\WebSphere\AppServer\bin\stopServer.bat server1 -username wasadmin -password waspassword
- Apply the WebSphere Application Server interim fix provided by the WAS team. For instructions, see How to install WebSphere Application Server interim fix.
For information about the vulnerability and fixes, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) .
Note: You only need to apply the interim fix provided by the WAS team.
- Update Log4j.
1. Download the latest log4j 2.15.0 files from the following link:
<https://archive.apache.org/dist/logging/log4j/2.15.0/>
2. Depending on your platform, download the applicable file:
* apache-log4j-2.15.0-bin.tar.gz
* apache-log4j-2.15.0-bin.zip
3. Extract the downloaded files. Copy the following extracted JAR files to some other location (for example, desktop):
* log4j-api-2.15.0.jar
* log4j-core-2.15.0.jar
4. Rename the JAR files as follows:
* log4j-api-2.15.0.jar to log4j-api-2.13.3.jar
* log4j-core-2.15.0.jar to log4j-core-2.13.3.jar
Note: This is a workaround. Because of this workaround, even after you apply the fix, the grep command shows log4j-api-2.13.3.jar version in the output. However, be assured that Log4j is upgraded to log4j-api-2.15.0.jar.
5. Copy the renamed Log4j JAR files to the following location:
On Linux or AIX:
WAS_HOME/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib
For example,
/opt/IBM/WebSphere/AppServer/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib
On Windows:
WAS_HOME\profiles\KLMProfile\installedApps\SKLMCell\sklm_kms.ear\lib
For example,
C:\Program Files\IBM\WebSphere\AppServer\profiles\KLMProfile\installedApps\SKLMCell\sklm_kms.ear\lib
- Start WebSphere Application Server.
On Linux or AIX:
WAS_HOME/bin/startServer.sh server1
For example,
/opt/IBM/WebSphere/AppServer/bin/startServer.sh server1
On Windows:
WAS_HOME\bin\startServer.bat server1
For example,
C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1
** **Recommended: Upgrade Java
After you apply the WAS interim fix, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
For GKLM 4.1.1
This issue is fixed in GKLM 4.1.1 - Fix Pack 2. You can download it from Fix Central.
Workarounds and Mitigations
None
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%