Lucene search

K
ibmIBM9BECD46CC2FE7B9C59E40F7F2E02487DD50C4FC5A1268863942218B87551513B
HistoryMay 25, 2023 - 6:50 a.m.

Security Bulletin: Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464)

2023-05-2506:50:43
www.ibm.com
30
apache log4j
ibm operations analytics
log analysis
denial of service
vulnerability
remote attackers
fix
affected versions
cve-2023-26464
log4j 2.17.1
1.3.5.3
1.3.6.x
1.3.7.x

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

58.8%

Summary

log4j-1.2.16.jar is vulnerable and it is shipped in Log Analysis. The fix includes Apache Log4j core 2.17.1

Vulnerability Details

CVEID:CVE-2023-26464
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by a flaw when using the Chainsaw or SocketAppender components. By sending a specially crafted hashmap or hashtable, a remote attacker could exploit this vulnerability to exhaust available memory in the virtual machine, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249785 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.5.3
Log Analysis 1.3.6.x
Log Analysis 1.3.7.x

Remediation/Fixes

Version Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.x, 1.3.7.x

If current Log Analysis version is older than version 1.3.7.2, upgrade to Log Analysis version 1.3.7 Fix Pack 2 and apply 1.3.x Log4j Interim Fix 1 (Solr) fix. Download 1.3.7-TIV-IOALA-FP2 and 1.3.x-TIV-IOALA-IF1-Log4j-solr

For Log Analysis version 1.3.7.2, apply 1.3.x Log4j Interim Fix 1 (Solr) fix. Download 1.3.x-TIV-IOALA-IF1-Log4j-solr

For user of Logstash, apply 1.3.x Log4j Interim Fix 2 (Logstash) fix. Download 1.3.x-TIV-IOALA-IF2-Log4j-LS

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsmartcloud_analytics_log_analysisMatch1.3.5
OR
ibmsmartcloud_analytics_log_analysisMatch1.3.6
OR
ibmsmartcloud_analytics_log_analysisMatch1.3.7

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

58.8%

Related for 9BECD46CC2FE7B9C59E40F7F2E02487DD50C4FC5A1268863942218B87551513B