Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104)

Summary

A vulnerability in Apache Log4j 1.2 (CVE-2021-4104) may affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, which utilize log4j for its logging functionality. Although no known vulnerability impact has been proven, it is strongly recommended to apply the fix that upgrades log4j from version 1.2 to version 2.17.1. IBM Maximo Asset Management version 7.6.1.2 IFX019 and IBM Maximo Manage Patch 8.3.1 ship the latest library available 2.17.1.

Vulnerability Details

CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product and the IBM Maximo Manage application in IBM Maximo Application Suite. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

Product versions affected:

• To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central and apply it for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

For IBM Maximo Manage application in IBM Maximo Application Suite:

First upgrade to Maximo Application Suite version 8.7.2 and then from the Catalog select Update Available for Manage 8.3.1

Workarounds and Mitigations

Additional manual steps are required to remove all instances of Apache Log4j 1.2 for Maximo Asset Management 7.6.

1. Delete the following files from the Maximo install directory:
   1. <maximo_home>\reports\cognos\c11\sdk\log4j-1.2.17.jar
   2. <maximo_home>\reports\cognos\c11\src\lib\log4j-1.2.17.jar
2. When using Cognos metadata publishing in an Oracle WebLogic environment, the Cognos BI Server Integration Installation Guide includes an instruction to copy log4j to <weblogic>\user_projects\domains\base_domain\lib. Remove this file if applicable.