IBM UrbanCode Release is impacted by CVE-2021-44228 through the use Apache log4j-1.2 which is part of the logging infrastructure. A logging configuration change can exploit the weakness resulting in unauthorized access to the administrative functions within Settings. An iFix has been provided which contains a modified log4j-1.2.jar in which all network ‘appenders’ including ‘JMSAppender’ have been removed.
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM UrbanCode Release | 6.2.5.0 - 6.2.5.1 |
IBM UrbanCode Release | 6.2.4.0 - 6.2.4.1 |
IBM UrbanCode Release | 6.2.3.0 - 6.2.3.1 |
IBM UrbanCode Release | 6.2.2.0 - 6.2.2.7 |
See Workarounds and Mitigations section
IBM strongly recommends addressing the vulnerability now and executing one of the below mitigation options.
> Option 1:
Upgrading the IBM UrbanCode Release to most current version of 6.2.5.5 which contains a modified version of log4j-1.2.jar in
which all network ‘appenders’ including ‘JMSAppender’ have been removed.
** Note*: 6.2.5.2 - 6.2.5.4 also have the modified log4j-1.2.jar to address the vulnerability.
Affected Product(s) | Version(s) | Remediation/Fixes |
---|---|---|
IBM UrbanCode Release | 6.2.5.0 - 6.2.5.1 | Download IBM UrbanCode Release version 6.2.5.5 |
IBM UrbanCode Release | 6.2.4.0 - 6.2.4.1 | Download IBM UrbanCode Release version 6.2.5.5 |
IBM UrbanCode Release | 6.2.3.0 - 6.2.3.1 | Download IBM UrbanCode Release version 6.2.5.5 |
IBM UrbanCode Release | 6.2.2.0 - 6.2.2.7 | Download IBM UrbanCode Release version 6.2.5.5 |
> Option 2:
For customers not wishing to upgrade to IBM UrbanCode Release version 6.2.5.5 and prefer to replace the existing Log4j.jar file only.
Affected Product(s) | Version(s) | Remediation/Fixes/Instructions |
---|---|---|
IBM UrbanCode Release | 6.2.5.0 - 6.2.5.1 |
Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228
Replace the existing log4j.jar library as indicated in the README file
IBM UrbanCode Release| 6.2.4.0 - 6.2.4.1|
Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228
Replace the existing log4j.jar library as indicated in the README file
IBM UrbanCode Release| 6.2.3.0 - 6.2.3.1|
Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228
Replace the existing log4j.jar library as indicated in the README file
IBM UrbanCode Release| 6.2.2.0 - 6.2.2.7|
Download and extract the interim fix IBM_UCR_6.2-iFix_Log4j-CVE-2021-44228
Replace the existing log4j.jar library as indicated in the README file