Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23305)

Summary

IBM Operations Analytics Predictive Insights is affected by the Apache Log4j vulnerability through the JDBCAppender in Log4j 1.2.x which accepts a SQL statement as a configuration parameter. When JDBCAppender is specifically configured to use, malicious values could be inserted. This allows attackers to exploit this vulnerability by entering crafted SQL strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed on the system.

Vulnerability Details

CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Apache Log4j 1.2 reached the end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

To do that please use the instructions and full details from the README that’s in the IBM Operations Analytics Predictive Insights iFix6 tarball, and follow with the upgrade to IBM Operations Analytics Predictive Insights iFix6.

IBM Operations Analytics Predictive Insights iFix6 tarball is available here.

Workarounds and Mitigations

none