Security Bulletin: IBM Telco Network Cloud Manager - Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305)

Summary

Apache Log4j is used by IBM Telco Network Cloud Manager - Performance for logging and is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305). The fix includes Apache Log4j v2.17.1.

Vulnerability Details

CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2022-23302
**DESCRIPTION:**Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now. This Security Bulletin is applicable to all IBM Telco Network Cloud Manager - Performance released versions.

For IBM Telco Network Cloud Manager - Performance 1.4.1:

Please download fix from http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Telco+Network+Cloud+Manager±+Performance&fixids=1.4.1.TIV-TNCP-IF002&source=SAR

For more information about applying the fix, go to IBM Documentation : <https://www.ibm.com/docs/en/tncm-p/1.4.1?topic=configuring-installing&gt;

For IBM Telco Network Cloud Manager - Performance 1.4 , 1.3 and 1.2:

If you have one of the listed affected versions, it is strongly recommended that you apply the most recent security update to UI service:

Apply the following updated UI service image by navigating into tncp product namespace -> statefulset -> ui

• **If the product is deployed on Openshift env then use following image =>**cp.icr.io/cp/tncp/basecamp-ui:2.4.1.0-166-d77181da@sha256:910ecb867298b343184bcc129c847695c4db3e8196241d52af2ba6c034d012e0
• If the product is deployed on Kubernetes environment then use following image : docker.io/persistentsystems/basecamp-ui:2.4.1.0-166-d77181da@sha256:910ecb867298b343184bcc129c847695c4db3e8196241d52af2ba6c034d012e0

Workarounds and Mitigations

None