10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
IBM Security Verify Governance Products NOT Affected by CVE-2021-44228 Exploit
After conducting extensive research product code base, it is determined that none of the products outlined below are using the vulnerable Java library log4j version with JNDI exploit (CVE-2021-44228)
IBM Security Identity Governance and Intelligence*
IBM Security Identity Manager*
IBM Security Verify Governance*
All supported versions and all their add-on components such as Adapters and Information Queue
Updated Tuesday, Dec 21 2021
Clarification for customers running IBM Security Verify Governance Products (Identity Manager) mentioned in this bulletin deployed as Software Stack (not Virtual Appliance):
Updated Monday, Dec 20 2021
Refer to the WebSphere Application Server security bulletins for additional information:
<https://www.ibm.com/support/pages/node/6525706>
<https://www.ibm.com/support/pages/node/6526750>
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%