Lucene search

IBMCB1A96B060B639265D7CCD4E0C186EA367A7C82E1756FDF32E57D9F350AD3873

HistoryJan 07, 2022 - 6:19 p.m.

Security Bulletin: Apache Log4j vulnerabilities in IBM WebSphere Application Server impact IBM Engineering Lifecycle Management (ELM) products based on IBM Jazz technology

2022-01-0718:19:37

www.ibm.com

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

JSON

Summary

There are multiple vulnerabilities from Apache Log4j (CVE-2021-4104, CVE-2021-45046) that affect IBM WebSphere Application Server that affect IBM Engineering Products based on IBM Jazz technology.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
Collaborative Lifecycle Management (CLM)	6.0.6, 6.0.6.1
Rational Team Concert (RTC)	6.0.6, 6.0.6.1
Rational DOORS Next Generation (RDNG)	6.0.6, 6.0.6.1
Rational Quality Manager (RQM)	6.0.6, 6.0.6.1
Engineering Lifecycle Management (ELM)	7.0, 7.0.1, 7.0.2
IBM Engineering Workflow Management (EWM)	7.0, 7.0.1, 7.0.2
IBM Engineering Requirements Management DOORS Next (DOORS Next)	7.0, 7.0.1, 7.0.2
IBM Engineering Workflow Management (EWM)	7.0, 7.0.1, 7.0.2
Global Configuration Management (GCM)	6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by taking the steps below:

There are multiple vulnerabilities in Apache Log4j (CVE-2021-4104, CVE-2021-45046), which is used by different versions of IBM WebSphere Application Server (WAS). If you integrate any of the IBM Jazz Team Server-based products and versions (6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2) listed above, you will want to review and apply the following IBM WebSphere Application Server (WAS) remediation guidance.

Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)

Workarounds and Mitigations

None

CPENameOperatorVersion
rational doors next generationeq6.0.6
rational doors next generationeq7.0.2
rational team concerteq6.0.6
rational team concerteq7.0.2
rational rhapsody design managereq6.0.6
rational rhapsody design managereq7.0.2
rational quality managereq6.0.6
rational quality managereq7.0.2
rational collaborative lifecycle managementeq6.0.6
rational collaborative lifecycle managementeq7.0.2

Name	Operator	Version
rational doors next generation	eq	6.0.6
rational doors next generation	eq	7.0.2
rational team concert	eq	6.0.6
rational team concert	eq	7.0.2
rational rhapsody design manager	eq	6.0.6
rational rhapsody design manager	eq	7.0.2
rational quality manager	eq	6.0.6
rational quality manager	eq	7.0.2
rational collaborative lifecycle management	eq	6.0.6
rational collaborative lifecycle management	eq	7.0.2