CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%
IBM Sterling Transformation Extender is impacted by Log4j2 security vulnerability, CVE-2021-44228, where an attacker can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
**CVEID:**CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Sterling Transformation Extender | 10.0.3.0 |
IBM Sterling Transformation Extender | 10.1.0.0, 10.1.0.1 |
IBM Sterling Transformation Extender | 10.1.1.0 |
NOT Applicable Releases:
This security vulnerability is NOT applicable for the following releases of the product and all associated Industry and Enterprise Packs:
Also, not applicable to the following certified container releases:
NOTE: Applicable to environments where Design Server and Runtime REST API server are used to design and run maps and flows in the environment. All other design and runtime environments are not affected. In other words, Design Studio, Command Server, Launcher, RMI Server and API environments are not affected by this security vulnerability.
Affected Product(s) | Version(s) | Link to Fix |
---|---|---|
IBM Sterling Transformation Extender | 10.0.3.0 | Link |
IBM Sterling Transformation Extender | 10.1.0.0, 10.1.0.1 | Link |
IBM Sterling Transformation Extender | 10.1.1.0 | Link |
Applicable Platforms:
Strongly recommend IBM Transformation Extender administrators apply remediation. Procedure to remediate the vulnerability based on the platforms and applicable versions differ, follow the remediation process provided here as appropriate to your environment.
IBM Sterling Transformation Extender is impacted by Log4j 2.x version security vulnerability, CVE-2021-44228. The other two security vulnerabilities, CVE-2021-45046 and CVE-2021-45105, are not applicable but as a measure of caution, upgraded Log4j to 2.17.0 version.
For detailed information on the security vulnerabilities, CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, refer the following links:
https://vulners.com/cve/CVE-2021-44228
https://vulners.com/cve/CVE-2021-45046
https://vulners.com/cve/CVE-2021-45105
IBM Sterling Transformation Extender is NOT impacted by Log4j 1.x version security vulnerabilities, CVE-2021-4104 and CVE-2019-17571. As a measure of caution, the vulnerable classes have been removed.
For detailed information on the security vulnerabilities, CVE-2021-4104 and CVE-2019-17571, refer the following links:
https://vulners.com/cve/CVE-2021-4104
https://vulners.com/cve/CVE-2019-17571
Remediation:
Log4j version has been upgraded to 2.17.0 for covering Log4j 2.x security vulnerabilities and vulnerable classes, JMSAppender and SocketServer, in the distributed Log4j 1.x version have been removed as a measure of caution for covering Log4j 1.x security vulnerabilities
in the IBM Sterling Transformation Extender product.
Steps to remediate the vulnerabilities:
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | websphere_transformation_extender | 10.1 | cpe:2.3:a:ibm:websphere_transformation_extender:10.1:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%