10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
WebSphere Application Server (WAS) is shipped as a component of IBM Security Guardium Key Lifecycle Manager (GKLM). Information about the Apache Log4j vulnerability has been published in a security bulletin. Customers are encouraged to take quick action to update their systems.
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Principal Product and Version(s)
|
Affected Supporting Product and Version(s)
—|—
IBM Security Key Lifecycle Manager (SKLM) v2.7** [EOS] | WebSphere Application Server v9.0.0.1
IBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5
IBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5
IBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5
IBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | WebSphere Application Server Liberty 21.0.0.6
****** IBM Security Key Lifecycle Manager (SKLM) v2.7 - Applicable only for customer with extension.
IMPORTANT
IBM strongly recommends addressing the vulnerability now by upgrading.
Depending on your GKLM/SKLM version, see the relevant section:
For information about the vulnerability fixes, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) .
You only need to apply the interim fix provided by the WAS team. Before you apply the interim fix, check the WAS minimum fix pack requirement and the supported WAS for your SKLM version (see Support Matrix).
For instructions, see How to install WebSphere Application Server interim fix.
Note: Also applicable for SKLM 2.7 (only for customers with extension).
** Recommended: Upgrade Java**
After you apply the WAS interim fix, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
On Linux or AIX:
WAS_HOME/bin/stopServer.sh server1 -username WAS_USER -password WAS_PASSWORD
For example,
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password waspassword
On Windows:
WAS_HOME\bin\stopServer.bat server1 -username WAS_USER -password WAS_PASSWORD
For example,
C:\Program Files\IBM\WebSphere\AppServer\bin\stopServer.bat server1 -username wasadmin -password waspassword
For information about the vulnerability and fixes, see Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) .
Note: You only need to apply the interim fix provided by the WAS team.
1. Download the latest log4j 2.15.0 files from the following link:
<https://archive.apache.org/dist/logging/log4j/2.15.0/>
2. Depending on your platform, download the applicable file:
* apache-log4j-2.15.0-bin.tar.gz
* apache-log4j-2.15.0-bin.zip
3. Extract the downloaded files. Copy the following extracted JAR files to some other location (for example, desktop):
* log4j-api-2.15.0.jar
* log4j-core-2.15.0.jar
4. Rename the JAR files as follows:
* log4j-api-2.15.0.jar to log4j-api-2.13.3.jar
* log4j-core-2.15.0.jar to log4j-core-2.13.3.jar
Note: This is a workaround. Because of this workaround, even after you apply the fix, the grep command shows log4j-api-2.13.3.jar version in the output. However, be assured that Log4j is upgraded to log4j-api-2.15.0.jar.
5. Copy the renamed Log4j JAR files to the following location:
On Linux or AIX:
WAS_HOME/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib
For example,
/opt/IBM/WebSphere/AppServer/profiles/KLMProfile/installedApps/SKLMCell/sklm_kms.ear/lib
On Windows:
WAS_HOME\profiles\KLMProfile\installedApps\SKLMCell\sklm_kms.ear\lib
For example,
C:\Program Files\IBM\WebSphere\AppServer\profiles\KLMProfile\installedApps\SKLMCell\sklm_kms.ear\lib
On Linux or AIX:
WAS_HOME/bin/startServer.sh server1
For example,
/opt/IBM/WebSphere/AppServer/bin/startServer.sh server1
On Windows:
WAS_HOME\bin\startServer.bat server1
For example,
C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1
** **Recommended: Upgrade Java
After you apply the WAS interim fix, it is recommended that you upgrade the IBM® SDK Java™ Technology Edition maintenance to V8.0.6.26. For instructions, see How to upgrade IBM SDK Java Technology Edition.
Note: You only need to apply Java SDK. No other manual step is required.
This issue is fixed in GKLM 4.1.1 - Fix Pack 2. You can download it from Fix Central.
None
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%