Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMAD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163
HistoryMay 05, 2022 - 2:49 p.m.

Security Bulletin: IBM Content Integrator is not affected by multiple vulnerabilities in Log4j

2022-05-0514:49:44
www.ibm.com
74

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

Summary

There are multiple vulnerabilities in Log4j used by IBM Content Integrator. IBM Content Integrator is not affected by these vulnerabilities. However, the team has addressed vulnerabilities by removing references.

Vulnerability Details

CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure
to protect against attacker-controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially
crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take
complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an incomplete fix
of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default
Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft
malicious input data using a JNDI Lookup pattern to leak sensitive
information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled
recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could
craft malicious input data that contains a recursive lookup to cause a StackOverflowError
that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2021-4104
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the
deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to
use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2021-38951
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service,
caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to
cause the server to consume all available CPU resources. IBM X-Force ID: 211405.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211405 for the current score.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products and Versions

Affected Product(s) Version(s)
IBM Content Integrator 8.6

Remediation/Fixes

IBM Content Integrator 8.6.0.4 IF0009 Fix Central

Workarounds and Mitigations

None

CPENameOperatorVersion
content integratoreqany

Related

ibm 151
thn 4
qualysblog 4
githubexploit 9
rapid7blog 1
securelist 1
trellix 2
arista 1
fedora 2
openvas 4
avleonov 1
ics 1
symantec 1
redhat 5
cisa 1
threatpost 2
nvidia 1
nessus 1
attackerkb 1
cert 1
checkpoint_security 1
github 2
osv 1
cisco 1
ibm
ibm
Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2021-4104, CVE-2021-45046, CVE-2021-38951)
2021-12-29 00:14:31
Security Bulletin: IBM Security SiteProtector System is NOT Affected by CVE-2021-44228, CVE-2021-45105, CVE-2021-45046 & CVE-2021-4104 Exploit
2022-01-06 05:32:07
Security Bulletin: IBM Watson Machine Learning Accelerator is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-4104, CVE-2021-44228, CVE-2021-45046)
2022-01-21 01:34:55
thn
thn
New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability
2021-12-18 12:18:00
Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities
2022-01-05 05:12:00
New Apache Log4j Update Released to Patch Newly Discovered Vulnerability
2021-12-29 04:59:00
qualysblog
qualysblog
New Options Profiles for Log4Shell Detection
2021-12-20 17:33:11
CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell)
2021-12-10 19:30:11
How to Discover Log4Shell Vulnerabilities in Running Containers & Images
2021-12-27 19:39:34
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-17 10:36:16
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-13 07:24:02
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-13 07:24:02
rapid7blog
rapid7blog
Widespread Exploitation of Critical Remote Code Execution in Apache Log4j
2021-12-10 15:30:00
securelist
securelist
Answering Log4Shell-related questions
2021-12-20 15:45:30
trellix
trellix
Log4shell Vulnerability is the Coal in Our Stocking for 2021
2022-01-19 00:00:00
Log4shell Vulnerability is the Coal in Our Stocking for 2021
2022-01-19 00:00:00
arista
arista
Security Advisory 0070
2022-05-20 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: log4j-2.17.0-1.fc35
2021-12-27 00:41:40
[SECURITY] Fedora 34 Update: log4j-2.17.0-1.fc34
2021-12-27 00:56:30
openvas
openvas
Elastic Elasticsearch Multiple Log4j Vulnerabilities (Dec 2021)
2021-12-20 00:00:00
Elastic Logstash Multiple Log4j Vulnerabilities (Dec 2021)
2021-12-20 00:00:00
Fedora: Security Advisory for log4j (FEDORA-2021-5c9d12a93e)
2021-12-27 00:00:00
avleonov
avleonov
Log4j “Log4Shell” RCE explained (CVE-2021-44228)
2021-12-26 22:07:17
ics
ics
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
2021-12-23 12:00:00
symantec
symantec
Symantec Security Advisory for Log4j Vulnerability
2021-12-11 01:06:47
redhat
redhat
(RHSA-2021:5148) Critical: OpenShift Container Platform 4.8.24 extras security update
2021-12-15 19:49:01
(RHSA-2021:5141) Critical: OpenShift Container Platform 4.6.52 security update
2021-12-16 07:44:46
(RHSA-2022:0083) Moderate: Red Hat build of Eclipse Vert.x 4.1.8 security update
2022-01-20 12:09:30
cisa
cisa
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
2021-12-22 00:00:00
threatpost
threatpost
Third Log4J Bug Can Trigger DoS; Apache Issues Patch
2021-12-20 16:01:57
Apache’s Fix for Log4Shell Can Lead to DoS Attacks
2021-12-15 14:04:19
nvidia
nvidia
Security Notice: NVIDIA Response to Log4j Vulnerabilities - December 2021
2021-12-13 00:00:00
nessus
nessus
GLSA-202310-16 : Ubiquiti UniFi: remote code execution via bundled log4j
2023-10-26 00:00:00
attackerkb
attackerkb
CVE-2021-44228 (Log4Shell)
2022-02-08 00:00:00
cert
cert
Apache Log4j allows insecure JNDI lookups
2021-12-15 00:00:00
checkpoint_security
checkpoint_security
Check Point's response to Apache Log4j Remote Code Execution
2021-12-10 11:28:03
github
github
GitHub’s response to Log4j vulnerability CVE-2021-44228
2021-12-13 19:06:34
Security Advisory for "Log4Shell"
2022-01-21 23:25:04
osv
osv
Security Advisory for "Log4Shell"
2022-01-21 23:25:04
cisco
cisco
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
2021-12-10 18:45:00

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON
Related for AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163
ibm151thn4qualysblog4githubexploit9rapid7blog1securelist1trellix2arista1fedora2openvas4avleonov1ics1symantec1redhat5cisa1threatpost2nvidia1nessus1attackerkb1cert1checkpoint_security1github2osv1cisco1