IBMD9DA80F42942BF2AE861A25807D73FB3CC5278F385F44A69EDF3332A73B6B7A7Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.127 Low
EPSS
Percentile
95.4%
Summary
Multple vulnerabilities exist in Apache log4j that could allow someone to execute arbitrary code on the system. Apache Log4j v1 is used by Cloud Pak System in order to generate logs and diagnostic traces in some of its components; IBM DB2 , IBM Tivoli Monitoring, IBM Spectrum Scale and IBM WebSphere Application Server. IBM Cloud Pak System has addressed these vulnerabilities. This security bulletin applies to Cloud Pak System, Cloud Pak System Software and Cloud Pak System Software Suite.
Vulnerability Details
CVEID:CVE-2022-23307
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-23302
**DESCRIPTION:**Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Systems: W3500, W550 and W4600
Main Product(s) Version(s)
|
Version(s)
|
Affected Supporting Products Version(s)
â|â|â
IBM Cloud Pak System
|
v2.3, v2.3.0.1, v2.3.1.1
|
Notice DB2 LUW 10.5 and DB2 LUW 11.1 end of support as per Withdrawal Announcements 920-049 and 918-138 respectively.
IBM Cloud Pak System
|
v2.3.2.0, v2.3.3.1, v2.3.3.2, v2.3.3.3, v2.3.3.3 interim fix 1
|
DB2. LUW 11.5
IBM Cloud Pak System Software Suite
|
v2.3, v2.3.0.1, v2.3.1.1
|
Notice DB2 LUW 10.5 and DB2 LUW 11.1 end of support as per Withdrawal Announcements 920-049 and 918-138 respectively.
IBM Cloud Pak System Software Suite
|
v2.3.2.0, v2.3.3.1, v2.3.3.2, v2.3.3.3, v2.3.3.3 interim fix 1
|
DB2. LUW 11.5
Remediation/Fixes
For unsupported version/release/platform IBM recommends upgrading to a fixed, supported version of the product.
Apache log4jv1 is vulnerable to CVE-2021-4104 in non default configuration if applications use JMSAppender class which is not the default for Cloud Pak System. Cloud Pak System log4jv1 instances updates to log4j v2.17.1 with IBM Cloud Pak System v2.3.3.4. Cloud Pak System DB2 updated to V11.5.7 special build. Tivoli Monitoring ( ITM) updated to ITM 6.3.0.7 Interim fix 2a, IBM Spectrum Scale (5.0.5.12) ptype 1.2.19.0 and er support for WebSphere Application Server 8.5.5.21 and 9.0.5.11 Was Liberty 22.0.0.3.
IBM strongly recommends addressing the vulnerability by upgrading to the latest fixed supported release of the product.
For IBM Cloud Pak System V2.3.0 through to V2.3.3.3 Interim Fix 1 upgrade to Cloud Pak System V2.3.3.4 at Fix Central
Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959>
If you are using product pattern type (pType), please refer to the security bulletin for that specific product.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak system | eq | 2.3 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.127 Low
EPSS
Percentile
95.4%