Lucene search

K
ibmIBMA8080DF589F1BFC2BF6B98ABD8B92D2C07AAE6F3E14977386069111BB800A09C
HistoryJan 24, 2022 - 8:02 p.m.

Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832)

2022-01-2420:02:49
www.ibm.com
5

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.03 Low

EPSS

Percentile

90.0%

Summary

A vulnerability in Apache Log4j could result in remote code execution. This vulnerability may affect the Help system in IBM Spectrum Copy Data Management . The below fix package includes Apache Log4j 2.17.1.

Vulnerability Details

CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Copy Data Management 2.2.14.0-2.2.14.2

Remediation/Fixes

IBM strongly recommends addressing this vulnerability now by upgrading.

Note: The below fix package includes Log4j 2.17.1.

IBM Spectrum Copy Data Management Affected Versions|Fixing Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.14.0-2.2.14.2| 2.2.14.3| Linux| <https://www.ibm.com/support/pages/node/6507419&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum copy data managementeq2.2

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.03 Low

EPSS

Percentile

90.0%

Related for A8080DF589F1BFC2BF6B98ABD8B92D2C07AAE6F3E14977386069111BB800A09C