Lucene search

K
ibmIBM7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710
HistoryDec 24, 2021 - 8:33 a.m.

Security Bulletin: i2 Analyze, i2 Connect and Analyst's Notebook Premium are affected by the Log4j vulnerability (CVE-2021-44228)

2021-12-2408:33:49
www.ibm.com
224

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

99.9%

Summary

Log4j is used by i2 Analyze and i2 Connect for general purpose and application error logging. It is also used in Analyst’s Notebook Premium when the chart store is deployed. This bulletin provides mitigation for the reported CVE-2021-44228 by providing configuration that addresses Log4j being vulnerable.

Vulnerability Details

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Software versions requiring changes to both i2 Analyze application server and Solr

Software Version Notes
i2 Analyze 4.3.5.0 bundled with EIA 2.4.1.0
i2 Analyze 4.3.4.0 bundled with EIA 2.4.0.0
i2 Analyze 4.3.3.0 bundled with EIA 2.3.4.0
i2 Connect 1.1.1 shipped with i2 Analyze 4.3.5.0
i2 Connect 1.1.0 shipped with i2 Analyze 4.3.4.0
i2 Connect 1.0.3 shipped with i2 Analyze 4.3.3.0
Analyst’s Notebook Premium 9.3.1 Chart store component
Analyst’s Notebook Premium 9.3.0 Chart Store component

Software versions requiring changes to Solr only

Software Version Notes
i2 Analyze 4.3.2.0 bundled with EIA 2.3.2.0
i2 Analyze 4.3.2.0 bundled with EIA 2.3.3.0
i2 Connect 1.0.2 shipped with i2 Analyze 4.3.2.0

Remediation/Fixes

Please find your version in the tables below and follow the fix pack links for update and instructions.**

Software versions requiring changes to both i2 Analyze application server and Solr**

Software Version Notes Fix pack links
i2 Analyze 4.3.5.0 bundled with EIA 2.4.1.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.1.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0
i2 Analyze 4.3.4.0 bundled with EIA 2.4.0.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.4.0.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0
i2 Analyze 4.3.3.0 bundled with EIA 2.3.4.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0
i2 Connect 1.1.1 shipped with i2 Analyze 4.3.5.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.1.1.2-SEC-I2CONNECT-WinLinux-FP0001&includeSupersedes=0
i2 Connect 1.1.0 shipped with i2 Analyze 4.3.4.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.4.3-SEC-i2EIA-WinLinux-FP0003&includeSupersedes=0
i2 Connect 1.0.3 shipped with i2 Analyze 4.3.3.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.3.3-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0
Analyst’s Notebook Premium 9.3.1 Chart store component https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.1.2-SEC-I2ANBP-Win-FP0002&includeSupersedes=0
Analyst’s Notebook Premium 9.3.0 Chart Store component https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Analysts+Notebook+Premium&release=All&platform=All&function=fixId&fixids=9.3.0.3-SEC-I2ANBP-Win-FP0003&includeSupersedes=0

Software versions requiring changes to Solr only

Software Version Notes Fix pack links
i2 Analyze 4.3.2.0 bundled with EIA 2.3.2.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Enterprise+Insight+Analysis&release=All&platform=All&function=fixId&fixids=2.3.2.2-SEC-i2EIA-WinLinux-FP0002&includeSupersedes=0
i2 Connect 1.0.2 shipped with i2 Analyze 4.3.2.0 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=i2&product=ibm/Other+software/i2+Connect&release=All&platform=All&function=fixId&fixids=1.0.2.2-SEC-I2CONNECT-WinLinux-FP0002&includeSupersedes=0

Workarounds and Mitigations

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

99.9%