Lucene search

K
ibmIBMCFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6
HistoryJun 22, 2023 - 11:45 a.m.

Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228)

2023-06-2211:45:26
www.ibm.com
141

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

Summary

Apache Log4j is used for logging in multiple components of the IBM Cloud Pak System (CPS) appliance: Logstash, VMware vCenter, IBM Hardware Management Console and product pattern type (pType). Arbitrary code execution vulnerabilities have been identified in Apache Log4j.

Vulnerability Details

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak System Software Suite 2.3.3.0
IBM Cloud Pak System 2.3
IBM Cloud Pak System 2.3.1.1, 2.3.2.0

Remediation/Fixes

For unsupported version/release/platform IBM recommends upgrading to a fixed, supported version of the product.

In response to vulnerability, IBM Cloud Pak System fixed releases as the following with supporting products,

- for Logstash IBM Cloud Pak System release IBM Cloud Pak System v2.3.3.4 update plugin to Logstash v7.16.3.

- for Spectrum Scale pattern Type (pType) IBM Cloud Pak System v2.3.3.4 update pType to include Spectrum Scale 5.0.5.12.

- for vCenter IBM Cloud Pak System release IBM Cloud Pak System v2.3.3.5 update vCenter image to vCenter 6.7 U3q.

- for Hardware Management Console (HMC) IBM Cloud Pak System release IBM Cloud Pak System v.3.3.3.7 update HMC Power Image 8.7.0 Service Pack 3 to include Log4j 2.17.1.

- for Cloud Pak System instances found log4jv1 (CVE-2021-4104) occurrences Cloud Pak System update instances to Log4j 2.17.1 .

IBM strongly recommends addressing the vulnerability now.

For IBM Cloud Pak System V2.3.0 through to V2.3.3.4 upgrade to IBM Cloud Pak System V2.3.3.5 for Intel at Fix Central

For IBM Cloud Pak System V2.3.1.1, V2.3.2.0 upgrade to IBM Cloud Pak System V2.3.3.7 for Power which ship with [target availability June 23, 2023] at Fix Central

Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None.

CPENameOperatorVersion
eq2.3
eq2.2

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%