IBM55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Automation (CVE-2021-44228)
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Summary
A remote code execution vulnerability has been reported for log4j-core-2.x libraries, which are used in various components of IBM Cloud Pak for Business Automation.
Vulnerability Details
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| ICP4A |
V19.x
V20.x
V21.0.1
V21.0.2 before 21.0.2-IF006
V21.0.3 before 21.0.3-IF001 (in 21.0.3, only the ADP component is affected)
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
Please follow this IBM PSIRT blog post to keep up to date with additional information around this vulnerability and how it relates to your IBM products.
For versions before 21.0.3, the recommended solution is to upgrade to
- IBM Cloud Pak for Business Automation 21.0.2 and apply IF006 or later
- IBM Cloud Pak for Business Automation 20.0.3 and apply IF012 or later
as soon as possible.
For version 21.0.3, the recommended solution is to apply 21.0.3-IF001 or later as soon as possible, see Readme for Cloud Pak for Business Automation 21.0.3-IF001 for ADP for details.
IBM Cloud Pak for Automation can make use of components in IBM Automation Foundation (IAF). Fixes for CVE-2021-44228 will be included in IAF 1.3.1. New installations of Cloud Pak for Automation 21.0.2-IF006 and later automatically consume the IBM Automation Foundation 1.3 channel. Existing installations upgrading to 21.0.2-IF006 or later need to manually update the IAF channel as in explained in Readme for Cloud Pak for Business Automation 21.0.2 IF006.
IBM Cloud Pak for Automation allows building custom apps on top of the platform. These custom apps can bring their own copy of the vulnerable Log4j library. You must carefully review all your custom apps to identify and upgrade all vulnerable use of the log4j library.
Workarounds and Mitigations
None
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%