Lucene search

K
ibmIBM4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE
HistoryFeb 09, 2022 - 4:17 p.m.

Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228)

2022-02-0916:17:13
www.ibm.com
94
ibm urbancode release
apache log4j
cve-2021-44228
arbitrary code execution
ifix
log4j-1.2.jar

EPSS

0.968

Percentile

99.7%

Summary

IBM UrbanCode Release is impacted by CVE-2021-44228 through the use Apache log4j-1.2 which is part of the logging infrastructure. A logging configuration change can exploit the weakness resulting in unauthorized access to the administrative functions within Settings. An iFix has been provided which contains a modified log4j-1.2.jar in which all network ‘appenders’ including ‘JMSAppender’ have been removed.

Vulnerability Details

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM UrbanCode Release 6.2.5.0 - 6.2.5.1
IBM UrbanCode Release 6.2.4.0 - 6.2.4.1
IBM UrbanCode Release 6.2.3.0 - 6.2.3.1
IBM UrbanCode Release 6.2.2.0 - 6.2.2.7

Remediation/Fixes

See Workarounds and Mitigations section

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability now and executing one of the below mitigation options.

> Option 1:

Upgrading the IBM UrbanCode Release to most current version of 6.2.5.5 which contains a modified version of log4j-1.2.jar in

which all network ‘appenders’ including ‘JMSAppender’ have been removed.

** Note*: 6.2.5.2 - 6.2.5.4 also have the modified log4j-1.2.jar to address the vulnerability.

Affected Product(s) Version(s) Remediation/Fixes
IBM UrbanCode Release 6.2.5.0 - 6.2.5.1 Download IBM UrbanCode Release version 6.2.5.5
IBM UrbanCode Release 6.2.4.0 - 6.2.4.1 Download IBM UrbanCode Release version 6.2.5.5
IBM UrbanCode Release 6.2.3.0 - 6.2.3.1 Download IBM UrbanCode Release version 6.2.5.5
IBM UrbanCode Release 6.2.2.0 - 6.2.2.7 Download IBM UrbanCode Release version 6.2.5.5

> Option 2:

For customers not wishing to upgrade to IBM UrbanCode Release version 6.2.5.5 and prefer to replace the existing Log4j.jar file only.

Affected Product(s) Version(s) Remediation/Fixes/Instructions
IBM UrbanCode Release 6.2.5.0 - 6.2.5.1
  • Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228

  • Replace the existing log4j.jar library as indicated in the README file
    IBM UrbanCode Release| 6.2.4.0 - 6.2.4.1|

  • Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228

  • Replace the existing log4j.jar library as indicated in the README file
    IBM UrbanCode Release| 6.2.3.0 - 6.2.3.1|

  • Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228

  • Replace the existing log4j.jar library as indicated in the README file
    IBM UrbanCode Release| 6.2.2.0 - 6.2.2.7|

  • Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228

  • Replace the existing log4j.jar library as indicated in the README file