Apache Log4j, which is used by and included with IBM Watson Machine Learning Accelerator , contains security vulnerability issue CVE-2021-44228. This bulletin provides mitigations for the Log4Shell vulnaribility (CVE-2021-44228) by applying workaround steps to IBM Watson Machine Learning Accelerator
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
PowerAI Enterprise | 1.2.1 |
IBM Watson Machine Learning Accelerator | 1.2.3 |
PowerAI Enterprise | 1.2.2 |
Patch will be released once available.
This document provides mitigations for the reported CVE-2021-44228 vulnerability by applying workaround steps to IBM Watson Machine Learning Accelerator.
Environment:
Linux x86_64, ppc64le
Workaround and mitigation steps: Note:
For IBM Watson Machine Learning Accelerator version 1.2.1, you must install the Interim fix 536919.
Refer to the details documented here: <https://www.ibm.com/docs/en/wmla/1.2.1?topic=accelerator-interim-fixes>
1. Apply the fix of “Vulnerability in Apache Log4j addressed in IBM Spectrum Conductor” by following the security bulletin: <https://www.ibm.com/support/pages/node/6526754>
2. Log on to the primary host as the cluster administrator, stop dlpd service
> source installation_top/profile.platform
> egosh user logon -u Admin -x Admin_password
> egosh service stop dlpd
3. Log on to each management host and remove the following class from the jar files
For IBM Watson Machine Learning Accelerator version 1.2.1:
zip -q -d $EGO_TOP/dli/1.2.3/dlpd/lib/log4j-core-2.7.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For IBM Watson Machine Learning Accelerator version 1.2.2:
zip -q -d $EGO_TOP/dli/1.2.4/dlpd/lib/log4j-core-2.7.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For IBM Watson Machine Learning Accelerator version 1.2.3:
zip -q -d $EGO_TOP/dli/1.2.5/dlpd/lib/log4j-core-2.7.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
4. Log on to the primary host as the cluster administrator and start dlpd service
> source installation_top/profile.platform
> egosh user logon -u Admin -x Admin_password
> egosh service start dlpd