Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105)

Summary

There are Remote Attack Vulnerabilities in Apache Log4j (CVE-2021-45105, CVE-2021-45046, CVE-2021-44832) which is used by the IBM Engineering Lifecycle Management products for logging . The fix includes upgrade to Apache log4j v2.17.1.

Vulnerability Details

CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

The following IBM Engineering Lifecycle Management products (IBM Jazz Team Server based Applications) are affected: Collaborative Lifecycle Management (CLM), Engineering Lifecycle Management (ELM), IBM Engineering Workflow Management (EWM), IBM Engineering Test Management (ETM), Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG).

Please find the affected components and remediations for each affected product and version in the table below.

Version(s)|Affected Product(s)|**Remediation (Refer to the Step number in the Remediation Section)
**
—|—|—
6.0.6| Collaborative Lifecycle Management (CLM)| | #2| |
Global Configuration Management (GCM)| | #2| |
IBM Jazz Reporting Service (JRS)| | #2| | #4
Rational DOORS Next Generation(RDNG)| | #2| |
Rational Engineering Lifecycle Manager (RELM)| | #2| |
Rational Rhapsody Model Manager (RMM)| | #2| |
Rational Quality Manager (RQM)| | #2| |
Rational Team Concert (RTC)| | #2| |
6.0.6.1| Collaborative Lifecycle Management (CLM)| | #2| |
Global Configuration Management (GCM)| | #2| |
IBM Jazz Reporting Service (JRS)| | #2| | #4
Rational DOORS Next Generation(RDNG)| | #2| |
Rational Engineering Lifecycle Manager (RELM)| | #2| |
Rational Rhapsody Model Manager (RMM)| | #2| |
Rational Quality Manager (RQM)| | #2| |
Rational Team Concert (RTC)| | #2| |
7.0| IBM Engineering Requirements Management DOORS Next(DNG)| | #2| |
Engineering Lifecycle Management (ELM)| | #2| |
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI)| | #2| |
IBM Engineering Test Management (ETM)| | #2| |
IBM Engineering Workflow Management (EWM)| | #2| |
Global Configuration Management (GCM)| | #2| |
IBM Jazz Reporting Service (JRS)| | #2| |
IBM Engineering Systems Design Rhapsody - Model Manager (RMM)| | #2| |
7.0.1| IBM Engineering Requirements Management DOORS Next(DNG)| | #2| |
Engineering Lifecycle Management (ELM)| | #2| #3|
IBM Engineering Lifecycle Optimization - Engineering Insights (ENI)| | #2| |
IBM Engineering Test Management (ETM)| | #2| |
IBM Engineering Workflow Management (EWM)| | #2| |
Global Configuration Management (GCM)| | #2| |
IBM Jazz Reporting Service (JRS)| | #2| |
IBM Engineering Systems Design Rhapsody - Model Manager (RMM)| | #2| |
7.0.2| Engineering Lifecycle Management (ELM)| | | #3|
IBM Engineering Requirements Management DOORS Next(DNG)| #1| | |

Remediation/Fixes

**IBM strongly recommends addressing the vulnerabilities now by taking the actions documented in this bulletin. **

Note: This Bulletin Supersedes Bulletin: <https://www.ibm.com/support/pages/node/6527732&gt;

Note: If you integrate any of the IBM Jazz Team Server-based products and versions (6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2) listed above with IBM WebSphere Application Server (WAS) you will want to review the IBM WebSphere Application Server (WAS) remediation guidance.

1 - For IBM Engineering Requirements Management DOORS Next (DNG) Version 7.0.2 only. Click this Link to install iFix010 or newer. Note, if you have prior installed the log4j patch patch_Log4Shell_DNv4.zip you will need to remove it first. Follow the instructions in the iFix for steps on how to remove patches.

2 - The Knowledge Center Component for a Locally installed Help Server (KCCI) that is (optionally) installed and configured for the following products: Collaborative Lifecycle Management (CLM), Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Test Management, Global Configuration Management (GCM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Systems Design Rhapsody – Model Manager(RMM), IBM Jazz Reporting Service (JRS), IBM Engineering Requirements Management DOORS Next(DNG) versions6.0.6, 6.0.6.1,7.0, 7.0.1 will need to be updated. Follow this Link and apply the Remediation

3 - If the Engineering Lifecycle Management (ELM) optional componentmxbean-datacollection (ELMMon) has been installed for version 7.0.1 or 7.0.2 it will need to be updated. Click This link and follow the instructions to remediate.

4 - IBM Jazz Reporting Service (JRS) versions 6.0.6, 6.0.6.1 included an optional technology preview of the property graph solution (<https://jazz.net/pub/new-noteworthy/jrs/6.0.6/6.0.6/index.html#1&gt;). This technology preview is impacted. The work around is to un-install both the Apache Cassandra - LQE Technology Preview and Elastic Search -LQE Technology Preview components of IBM Jazz Reporting Service. In IBM Installation Manager (IIM) modify packages to uninstall these components.

Workarounds and Mitigations

None