Lucene search

K
ibmIBM7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B
HistoryApr 04, 2022 - 9:53 p.m.

Security Bulletin: IBM Security Verify Governance Products NOT Affected by CVE-2021-44228 Exploit

2022-04-0421:53:13
www.ibm.com
72

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Summary

IBM Security Verify Governance Products NOT Affected by CVE-2021-44228 Exploit

Vulnerability Details

After conducting extensive research product code base, it is determined that none of the products outlined below are using the vulnerable Java library log4j version with JNDI exploit (CVE-2021-44228)

  • IBM Security Identity Governance and Intelligence*

  • IBM Security Identity Manager*

  • IBM Security Verify Governance*

  • All supported versions and all their add-on components such as Adapters and Information Queue

Updated Tuesday, Dec 21 2021

Clarification for customers running IBM Security Verify Governance Products (Identity Manager) mentioned in this bulletin deployed as Software Stack (not Virtual Appliance):

Updated Monday, Dec 20 2021

Refer to the WebSphere Application Server security bulletins for additional information:

<https://www.ibm.com/support/pages/node/6525706&gt;
<https://www.ibm.com/support/pages/node/6526750&gt;

  • Customers running IBM Security Verify Governance Products (Identity Manager) mentioned in this bulletin deployed as Software Stack (not Virtual Appliance) must refer to WebSphere Application Server security bulletin and apply the required WebSphere patches.
  • IBM Security Verify Governance Products mentioned in this bulletin deployed as Virtual Appliances do not use the WebSphere Application Server Admin Console or the UDDI Registry application, therefore they are not affected by the WebSphere Application Server vulnerability.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Related for 7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B