Lucene search

K
ibmIBMAC579EF06A63C7679B2D7EC4B67819D5F33EC90E9760AA522990209580D45436
HistoryJun 08, 2022 - 12:25 p.m.

Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is vulnerable to Apache Log4j2 - CVE-2021-44832

2022-06-0812:25:28
www.ibm.com
39

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.025 Low

EPSS

Percentile

89.9%

Summary

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. Apache Log4j library is used inside the search indexer component by IBM Rational Software Architect RealTime Edition. The fix includes Apache Log4j v2.17.1.

Vulnerability Details

CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
RSA RT 10.3
RSA RT 11.0
RSA RT 11.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Update RSA RT to v11.1 2022.04 or later versions available through Fix Central.

Workarounds and Mitigations

If update to RSA RT v11.1 2022.04 or later versions is not possible, please reach out to IBM Support.

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.025 Low

EPSS

Percentile

89.9%

Related for AC579EF06A63C7679B2D7EC4B67819D5F33EC90E9760AA522990209580D45436