Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data (CVE-2021-44228)

Summary

Apache Log4j open source library used by IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data are affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation and Db2 Graph feature. The fix for the vulnerability is to update the log4j library. Updating log4j to a version 2.15.0 or higher also addresses CVE-2021-4104.

Vulnerability Details

CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Fix pack levels of IBM Db2 On Openshift V11.5 on all platforms and IBM Db2 and Db2 Warehouse on Cloud Pak for Data 3.5 and 4.0 fix pack levels on all platforms are affected only if the following features are configured. By default these settings are not configured:

• Db2 Graph

Federation:

• DVM JDBC wrapper driver,
• NoSQL wrapper driver (for Hadoop),
• Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64 only

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected program: V11.5, Cloud Pak for Data 3.5, Cloud Pak for Data 4.0, can download the latest IBM Db2 On Openshift or the IBM Db2 and Db2 Warehouse on Cloud Pak for Data fixpack release containing the fix for this issue. These builds are available based on the most recent fixpack level of the V11.5.6 release and the Cloud Pak for Data 4.0.3 release. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Please note: If the affected release is any fix pack level of Cloud Pak for Data 3.5, you must upgrade to Cloud Pak for Data 4.0, then apply the latest fixpack release

For more information on how to update to a fix pack, refer to the following documentation:

IBM® Db2® On Openshift: <https://www.ibm.com/docs/en/db2/11.5?topic=1156-upgrading-updating&gt;

IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=upgrading&gt;

Workarounds and Mitigations

For the Db2 Federation feature, perform the following:

Edit the Openshift db2uclusters resource of the affected Db2 instance(s).

To get the db2uclusters resources, perform the following command: oc get db2uclusters

e.g: oc edit db2uclusters db2oltp-1639595262124131

Add the following line to the file in the registry section: DB2_JVM_STARTARGS: “-Dlog4j2.formatMsgNoLookups=true”

Save and Exit

Exec into the Db2 Engine pod and run the following command in a bash shell as user db2inst1:

e.g to exec into Db2 engine pod: oc exec -it c-db2oltp-1234567890-db2u-0 bash

Perform the following commands:

cat <<'EOF' > /db2u/tmp/apply-db2-settings.sh
#!/bin/bash

[[ -z "${BLUMETAHOME}" ]] && source /etc/profile
[[ -z ${DB2U_TMP} ]] && DB2U_TMP=/db2u/tmp

# Set OS env using the Configmap file
[[ -f ${DB2U_TMP}/os_envar_configmap ]] || \
    /db2u/scripts/update_env_from_configmap.sh --file ${DB2U_TMP}/os_envar_configmap
. ${DB2U_TMP}/os_envar_configmap

su_cmd="/bin/bash -lc"
ipclean_prefix="rah"

### Functions ###
# Returns a list of local database names
get_db_list()
{
    local db_list=($(db2 list db directory | grep -B4 -E "[ \t]+Directory.*type[ \t]+=[ \t]+Indirect$" | awk -F'=' '/^[ \t]+Database name[ \t]+=.*/ {print $2}' | sed 's/[ \t]\+//g'))

    echo "${db_list[@]}"
}

activate_multiple_dbs()
{
    local db_list=($(get_db_list))
    for db in "${db_list[@]}"; do
        db2 -v activate db ${db}
    done
}


# Update the cached copy of the Db2 CMs
${su_cmd} "source /db2u/scripts/include/db2_functions.sh && install_update_configmap_db2cfg_files && update_db2_regvar_file && apply_cfg_setting_to_db2 -all"


# Disable Wolverine HA if not restricted
[[ "X${RESTRICTED}" != "Xtrue" ]] && wvcli system disable -m "Applying db2cfg settings from all configmaps"

# Recycle Db2 to apply Db2 registry settings
${su_cmd} "db2stop force && ${ipclean_prefix} 'ipclean -a'"
${su_cmd} "db2start"

# Re-enable Wolverine HA if not restricted
[[ "X${RESTRICTED}" != "Xtrue" ]] && wvcli system enable -m "Enable HA after applying db2 cfg settings from all configmaps"

# Activate the database
activate_multiple_dbs
EOF  



chmod +x /db2u/tmp/apply-db2-settings.sh  



/db2u/tmp/apply-db2-settings.sh

For the Db2 Graph feature, perform the following:

Exec into the Db2 Graph pod.

e.g oc exec -it c-db2oltp-1603819662989-graph-5d4b8b694c-nd4jw bash

Navigate to the /db2graph/gremlin directory

Edit the gremlin-server.conf file

In the line with JAVA_OPTIONS=“-Xms512m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError -DgremlinServerSandbox=conf/sandbox.yaml” Add: -Dlog4j2.formatMsgNoLookups=true with a leading space just before the final double quote:

i.e. JAVA_OPTIONS=“-Xms512m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError -DgremlinServerSandbox=conf/sandbox.yaml -Dlog4j2.formatMsgNoLookups=true”

Run manage restart

Verify that the argument you provided in the gremlin-server.conf was picked up by running ps -ef | grep java and inspecting the arguments