Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105)

Summary

Multiple vulnerabilities were identified within the Apache Log4j library (CVE-2021-45046, CVE-2021-45105) that is used by Netcool Operations Insight to provide logging functionality.

Vulnerability Details

CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Netcool Operations Insight	1.4
Netcool Operations Insight	1.5
Netcool Operations Insight	1.6

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now.

Please take careful inventory of components downloaded at any time and be sure to apply the remediations for any component that may have been installed whether or not it is currently in use.

To address the recent Apache Log4j vulnerabilities, all installed components must upgraded.

Redhat Openshift Platform

If you are on a version between 1.4 and 1.6.2 move to IBM Netcool Operations Insight V1.6.3 on Red Hat OpenShift.

<https://www.ibm.com/support/knowledgecenter/en/SSTPTP_1.6.3/com.ibm.netcool_ops.doc/soc/integration/task/soc_int_upgrade_cloud.html&gt;

Install the recommended fix v1.6.3.2 as per

<https://www.ibm.com/support/pages/node/6527810&gt;

The fix includes Apache Log4j 2.17.1.

---

Traditional On Premise

|

---

|
—|—|—
On Premise Component Product|IBM Netcool Operations Insight Version(s)| Remediation Steps

IBM Netcool Agile Service Manager

|

1.4-1.6

|

See Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105)

This includes Apache Log4j 2.17.1.

IBM Cognos Analytics

|

1.6

|

Please see steps for Bundled Customers in the Remediation section of Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832)

This includes Apache Log4j 2.17.1.

IBM Db2

|

1.4-1.6

|

See Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105)

This includes Apache Log4j 2.17.0.

IBM Jazz for Service Management| 1.4-1.6|

See Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046)

This includes Apache Log4j 2.17.0.

A further update is available

See Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability (CVE-2021-44832)

This includes Apache Log4j 2.17.1.

IBM Tivoli Netcool Impact| 1.4-1.6|

See Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046)

This includes Apache Log4j 2.17.0.

A further update is available

See Security Bulletin: A vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-44832)

This includes Apache Log4j 2.17.1.

IBM Netcool/Omnibus| 1.4-1.6|

See Security Bulletin: Tivoli Netcool/Omnibus installation contains vulnerable Apache Log4j code (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105)

This includes Apache Log4j 2.17.1.

IBM Tivoli Netcool/OMNIbus Probes and Gateways| 1.4-1.6|

See Netcool/OMINbus Integrations Release Notice - Transport Module Common Integration Library

and

Netcool/OMNIbus Integrations Release Notice - Java Netcool Utility Library

These include Apache Log4j 2.17.1.

IBM Tivoli Netcool/OMNIbus Web GUI

|

1.4-1.6

|

See Security Bulletin: IBM Tivoli Netcool/OMNIbus Web GUI is vulnerable to multiple Apache Log4j vulnerabilities (CVE-2021-45046,CVE-2021-45105)

This includes Apache Log4j 2.17.1.

IBM Network Performance Insight

|

1.6.0-1.6.2

|

There is an interim fix available on FixCentral at (1.3.1.0-TIV-NPI-IF0005)

This includes Apache Log4j 2.17.0.

IBM Operations Analytics - Log Analysis

|

1.4-1.6

|

See Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2021-44228)

If Apache Log4j CVE-2021-44228 has already been addressed by executing the steps documented in the bulletin above, they do not have to be duplicated.

This includes Apache Log4j 2.17.0.

IBM Operations Analytics - Predictive Insights| 1.4-1.6|

See Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights

This includes Apache Log4j 2.17.1.

IBM Tivoli Business Service Manager (TBSM)| 1.4-1.6|

For IBM Tivoli Netcool Impact:

See Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046)

This includes Apache Log4j 2.17.0.

A further update is available

See Security Bulletin: A vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-44832)

This includes Apache Log4j 2.17.1.

---

For Websphere Application Server:

See Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)

This removes Apache Log4j from IBM Websphere Application Server.

---

If Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 have already been addressed by executing the steps documented in the bulletins above relating to those components, they do not have to be duplicated.

IBM Tivoli Netcool Configuration Manager| 1.4-1.6|

For Websphere Application Server:

See Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)

This removes Apache Log4j from IBM Websphere Application Server.

---

If Apache Log4j CVE-2021-45105 and CVE-2021-44832 have already been addressed by executing the steps documented in the bulletin above relating to the component, they do not have to be duplicated.

IBM Tivoli Network Manager IP Edition| 1.4-1.6|

See Interim Fix 4.2.0.14-TIV-ITNMIP-LinuxAll-IF1

and follow instructions in ReadMe to remediate.

This includes Apache Log4j 2.17.1.

IBM WebSphere Application Server| 1.4-1.6|

See Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)

This removes Apache Log4j from IBM Websphere Application Server.

Workarounds and Mitigations

Redhat Openshift Platform

None.

Traditional On Premise

None except as described in the individual on premise component security bulletins in the Remediation/Fixes table above.