Security Bulletin: Apache Log4j vulnerability affects IBM Business Automation Workflow (CVE-2021-44228)

Summary

Process Federation Server (PFS), shipped with IBM Business Automation Workflow (BAW), is vulnerable to a vulnerability caused by log4j. The vulnerability is included in the ElasticSearch client library used by PFS. The ElasticSearch vulnerable library was also shipped in offline documentation. The vulnerable library has already been removed with a prior security bulletin (linked from the Remediation/Fixes section).

Vulnerability Details

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Earlier versions of IBM Business Automation Workflow and of IBM Business Process Manager are affected indirectly through WebSphere Application Server (see link to WebSphere Application Server bulletin in Remediation/Fixes section). If the vulnerable version of Log4j was added or used in custom applications, those customer applications may be affected.

Remediation/Fixes

Please follow this IBM PSIRT blog post to keep up to date with additional information on this vulnerability and how it relates to your IBM products.

IBM strongly recommends applying the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64456 as soon as practical:

• Process Federation Server in IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03)

If you are using IBM Business Automation Workflow V18.0, V19.0, V20.0, and V21.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR64456
--OR–
· Apply cumulative fix IBM Business Automation Workflow V21.0.3 or later

If you are using IBM Business Automation Workflow on Containers, apply cumulative fix IBM Business Automation Workflow V21.0.2-IF006 or later

Note that fixes for various versions may become available over time. Upgrading Process Federation Server generally does not require migration. If you are on a version of Process Federation Server using ElasticSearch V7, you can seamlessly upgrade to 21.0.2 to apply the patch.
If you are on a version of Process Server that uses ElasticSearch 6, you can seamlessly upgrade to Process Federation Server V20.0.0.1 and apply the patch.

Another vulnerable copy of the Log4j library was shipped with offline documentation. If you have not already done so, remove offline documentation as advised in Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation.

As an additional protection, we recommend setting a Java system property for your Process Federation Server (or User Management Server) in jvm.options:

Add -Dlog4j2.formatMsgNoLookups=true to jvm.options as described in <https://www.ibm.com/docs/en/was-liberty/core?topic=manually-customizing-liberty-environment&gt;. Alternatively, you can set an environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. This setting can help mitigate risks in code (including custom code like a TAI) using a version of log4j >=2.10.

IBM Business Automation Workflow builds on top of IBM WebSphere Application Server 8.5.5. You must ensure to follow Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228) to patch the underlying application server platform.

IBM Business Automation Workflow allows customers to build apps on top of the platform. These apps may bring their own (vulnerable) copy of log4j-core-2.x and may use it from custom Java code. It is important to review and fix all vulnerable use of log4j-core-2.x in your custom apps.

Workarounds and Mitigations

None