Security Bulletin: Apache Log4j vulnerability (CVE-2021-44228) has been identified in IBM Tivoli Netcool Impact and IBM WebSphere Application Server bundled with Tivoli Business Service Manager

Summary

IBM Tivoli Netcool Impact and IBM WebSphere Application Server are bundled as components of Tivoli Business Service Manager. Information about a security vulnerability affecting IBM Tivoli Netcool Impact and IBM WebSphere Application Server have been published in security bulletins.

Vulnerability Details

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the interim fixes below:

For WebSphere Application Server (WAS) traditional:

Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)

For V8.5.0.0 through 8.5.5.20:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42762
--OR–
· Apply Fix Pack 8.5.5.21 or later fix pack if available.

**For IBM Tivoli Netcool Impact: **
Security Bulletin: Vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-44228)

For 7.1.0.18 through 7.1.0.24:
Apply Interim Fix 7.1.0-TIV-NCI-IF0010

Workarounds and Mitigations

IBM strongly recommends to apply the interim fixes now.