Lucene search

K
ibmIBM822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961
HistoryMar 28, 2022 - 5:37 p.m.

Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j

2022-03-2817:37:28
www.ibm.com
104

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Summary

A new vulnerability with log4j has been detected. MAS Monitor uses log4j in all releases and interim fixes are now available for our 8.4, 8.5 and 8.6 releases. More details of the vulnerability are available here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Vulnerability Details

CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Monitor Component All

Remediation/Fixes

To receive the interim fix update your Red Hat OpenShift deployments for each of the Monitor API pods to point to the newly published fix image in IBM Cloud Registry.

Steps:

First, disable the Monitor operator by decrementing the number of pods instantiated by the operator deployment from 1 to 0.

Now go each of these 5 deployments: rest-meta, rest-kpi, rest-master, rest-datalake and rest-dscmanager.

Change the image tag from the released version to this image version

For 8.6:

8.6.2-pre.8.6.hotfix

For 8.5:

8.5.7-pre.8.5.hotfix

For 8.4:

8.4.12-pre.8.4.hotfix

After the pods restart the interim fix has been applied

Move to this directory on each pod.

cd /opt/was/liberty/wlp/usr/servers/default/dropins

List the files in the war.

unzip -l *.war

Verify your log4j.jar is version 2.15.0.

Reenable your operator to automatically install/receive future fixpacks as they are released on OLM.

Workarounds and Mitigations

None

CPENameOperatorVersion
monitor componenteqany

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Related for 822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961