Lucene search

K
ibmIBMAAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635
HistoryDec 21, 2021 - 2:58 p.m.

Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)

2021-12-2114:58:17
www.ibm.com
105

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

99.9%

Summary

There is a vulnerability in the Apache log4j library used by IBM WebSphere Application Server in the Admin Console and UDDI Registry application and used by the IBM WebSphere Application Server Liberty for z/OS in features zosConnect-1.0 and zosConnect-1.2. This has been addressed in IBM WebSphere Application Server by removing log4j from the Admin Console and UDDI Registry application. This has been addressed in IBM WebSphere Application Server Liberty for z/OS by removing log4j from the zosConnect-1.0 and zosConnect-1.2 features.

Vulnerability Details

CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service.
CVSS Base score: 9.0
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
WebSphere Application Server Liberty Continuous delivery
WebSphere Application Server 9.0
WebSphere Application Server 8.5
WebSphere Application Server 8.0
WebSphere Application Server 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR PH42762 for each named product as soon as possible.

For WebSphere Application Server Liberty 17.0.0.3 - 21.0.0.12 using the zosConnect-1.0 or zosConnect-1.2 feature:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42762
--OR–
· Apply Fix Pack 22.0.0.1 or later (when available).

For WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.10:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42762
--OR–
· Apply Fix Pack 9.0.5.11 or later (when available).

For V8.5.0.0 through 8.5.5.20:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42762
--OR–
· Apply Fix Pack 8.5.5.21 or later (when available).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH42762

For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and then apply Interim Fix PH42762

Additional interim fixes may be available and linked off the interim fix download page.

Required next steps:

  1. If the UDDI Registry Application is running on the WebSphere Application Server, then after applying the Interim Fix PH42762,redeploy the UDDI Registry Application.

  2. The “kc.war” application is removed from the installableApps/ directory by this fix. If this application has been installed (deployed) to any application server (separately from isclite.ear), it must be manually****uninstalled via the the Admin Console or wsadmin. For instructions on how to determine if kc.war is installed see question Q9 in our Log4Shell (CVE-2021-44228) FAQ.

Note: WebSphere Application Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

If the interim fixes in PH42762 cannot be applied immediately, then follow ALLof the temporary mitigation steps below. Due to the severity, complexity, and evolving nature of the situation, no mitigation is recommended as a substitute for patching.

PH42762 only applies to a minimum fix pack level of 7.0.0.45, 8.0.0.15, 8.5.5.11, and 9.0.5.3. For any customer not on those minimum fix pack levels, IBM recommends upgrading to at least the minimum fix pack and applying the interim fix. If a customer cannot apply the interim fix, they may choose to apply the following temporary workaround to manually remove copies of log4j that this interim fix removes:

  1. WebSphere Application Server traditional release 9.0 only:
    * Remove <WAS_HOME>/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar from any system running the WebSphere admin console and restart the application server.
    Note: If any future service (prior to 8.5.5.21 or or 9.0.5.11) is applied to the install the log4j files will be restored without warning.
    * If the kc.war application has been installed then uninstall it. For instructions on how to determine if kc.war is installed see question Q9 in our Log4Shell (CVE-2021-44228) FAQ.
    * Remove <WAS_HOME>/installableApps/kc.war
  2. All WebSphere Application Server traditional releases:
    * Users of the UDDI Registry Application: Remove log4j*.jar from within the <WAS_HOME>/installableApps/uddi.ear archive and update (redeploy) any installed (deployed) copies of the UDDI Registry application.
    * Users who do not use the UDDI Registry Application should remove <WAS_HOME>/installableApps/uddi.ear
  3. WebSphere Liberty for z/OS users running zosConnect-1.0 or zosConnect-1.2:
    * Remove the fileSystemloggerInterceptor configuration element if present in the server configuration.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

99.9%