10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
IBM Sterling Global Mailbox uses Apache Log4j and is impacted by CVE-2021-44228. Mitigation steps have been confirmed. Final remediation images pending.
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Global High Availability Mailbox | 6.0.3-6.1.1.0 |
Product Version
|
Remediation & Fix
—|—
6.0.3-6.1.1.0
|
Download IBM Sterling B2B Integrator IIM version 6.0.3.5_1, 6.1.0.4_1 , 6.1.1.0_1, 6.0.2.3._1 or 6.0.1.2_1 on Fix Central
Then apply the fix for global mailbox
Strongly recommend implementing the following mitigation.
The following instruction applies to the Global Mailbox Liberty server (mailboxui) -
Stop Global Mailbox Liberty server.
Edit <Install Directory>/wlp/usr/servers/mailboxui/bootstrap.properties file
Add the following property on new line -
log4j2.formatMsgNoLookups=true
The following instruction applies to the Global Mailbox WatchDog component -
Stop WatchDog by running stopGMCoordinateWatchdog.sh script from folder <Global Mailbox Install Dir>/MailboxUtilities/bin
Edit startWatchDog.sh file from folder <Zookeeper Install Dir>/watchdog/bin
Looks for “nohup ${JAVA_EXEC}” command and additional JVM parameter in this command.
eg. nohup ${JAVA_EXEC} -Dwatchdog.properties.file=${WATCHDOG_PROPERTIES_FILE} -Djava.util.logging.config.file=./…/conf/watchdog.logging.properties -Dlog4j2.formatMsgNoLookups=true -classpath “${WATCHDOG_JARS_DIR}/*” com.ibm.mailbox.zkwatchdog.ZKWatchDogMain “$@” > “$WATCHDOG_OUT_FILE” 2>&1 < /dev/null &
CPE | Name | Operator | Version |
---|---|---|---|
ibm global high availability mailbox | eq | 6.0.3. | |
ibm global high availability mailbox | eq | 6.1. |
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%