Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104)

Summary

Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This bulletin covers the vulnerability caused when using versions of log4j earlier than 2.0. This version of the library is used by the ECM (Text Search) feature . CVE-2021-44228 is addressing a critical vulnerability in 2.0 <= log4j <= 2.15.0 covered in a separate security bulletin. Please see CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for bulletins relating to Log4j V2.

Vulnerability Details

CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The ECM (Text Search Server) feature in all fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 for all server editions on all platforms are affected.

IBM Db2 V10.1 and V9.7 are not affected.

In the V11.1 release, the Hadoop federation wrapper is also impacted.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP6, V11.5.6, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

For ECM (Text Search Server)

AIX 64-bit
HP-UX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ big endian
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Solaris 64-bit, SPARC
Solaris 64-bit, x86-64
Windows 32-bit, x86
Windows 64-bit, x86
Inspur

V11.1| TBD| IT39387| Special Build for V11.1.4 FP6:

AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Solaris 64-bit, SPARC
Windows 32-bit, x86
Windows 64-bit, x86

V11.5| TBD| IT39389| Special Build for V11.5.6:

AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Windows 32-bit, x86
Windows 64-bit, x86

Note: The 11.5.6 special builds here are the same ones supplied for resolving CVE-2021-44228

V11.5| TBD| IT39389| Special Build for V11.5.7:

AIX 64-bit
Linux 32-bit, x86-32
Linux 64-bit, x86-64
Linux 64-bit, POWER™ little endian
Linux 64-bit, System z®, System z9® or zSeries®
Windows 32-bit, x86
Windows 64-bit, x86

Note: The 11.5.7 special builds here are the same ones supplied for resolving CVE-2021-44228

If you are using Db2 Text Search with rich text filters, after these special builds are applied, you will be required to upgrade your version of rich text filters in addition to Db2 Text search. Appropriate rich text filters (in this case version 8.5.5) for each Db2 release can be downloaded from the Db2 accessories suite page.

For details, see here.

For Install (Installation Manager)

We recommend that you download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).

It was determined through further investigation that while Installation Manager was found to not be impacted by CVE-2021-4104, as the Installation Manager does not use log4j in a manner that exposes the vulnerability, it does include the older version of the library.

For v11.1.x, install the Db2 fix listed in the table above for Linux 32-bit, Linux 63-bit, Windows 32-bit and/or Windows 64-bit. This fix replaces the existing log4j jar file with an empty jar file. While the vulnerability is mitigated with this fix, a scan will still show the existence of the jar file. Alternatively you may download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).

For earlier versions, we recommend that you download and install the fix found here to upgrade to the latest version of Installation Manager (IM 1.9.2 or greater).

Workarounds and Mitigations

For ECM (Text Search):

The vulnerable jar can be patched to mitigate the vulnerability.
Note: Do not issue START/STOP Db2 text search server if Db2 text search is not configured.

On Linux and Unix:

Stop the TextSearch server: “db2ts stop for text”.

Remove the JMSAppender.class file via two options:
Here is the command:

   zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class

If you do not have access to ‘zip’, you can also use the ‘jar’ command.

   #assume log4j-1.2.17.jar exists in current directory
   mkdir tmp
   cd tmp
   jar xvf ../log4j-1.2.17.jar
   rm org/apache/log4j/net/JMSAppender.class
   jar cvf ../log4j-1.2.17-patched.jar .
   cd .. 
   rm log4j-1.2.17.jar 
   ln -s log4j-1.2.17-patched.jar log4j-1.2.17.jar
   rm -rf tmp  

Start the TextSearch server: “db2ts start for text”.

On Windows the Java jar tool with CMD can be used to follow the similar Unix instructions when using jar.

Stop the TextSearch server: "db2ts stop for text" in the Db2 command line.
Start the Windows CMD program and go to the SQLLIB\db2tss\lib directory which is found in the installation path e.g. "cd C:\ProgramFiles\IBM\SQLLIB\db2tss\lib"
Make a copy of the log4j-1.2.17.jar file e.g. "cp log4j-1.2.17.jar log4j-1.2.17.jar.bak"
Make a new directory e.g. "mkdir tmp"
Change to the new directory e.g. "cd tmp"
Extract the jar file using the jar program found in the JDK that is in the SQLLIB\java path e.g. "..\..\..\java\jdk\bin\jar xvf ..\log4j-1.2.17.jar"
Delete the JMSAppender.class file e.g. "del org\apache\log4j\net\JMSAppender.class"
Package the files back into the jar e.g. "..\..\..\java\jdk\bin\jar xvf ..\log4j-1.2.17-patched.jar ."
Replace the log4j-1.2.17.jar with log4j-1.2.17-patched.jar. e.g. "cd ..", "del log4j-1.2.17.jar", "ren log4j-1.2.17-patched.jar log4j-1.2.17.jar".
Cleanup the "tmp" folder.
Start the TextSearch server: "db2ts start for text" in the Db2 command line.  

For version 11.1 on linux and unix platforms only (not on Windows), the log4j-1.2.17.jar file under “/opt/IBM/db2/V11.1/federation/restservice/hadoop” in the Db2 installation location may be safely removed.

Subsequent installation of fixpacks may result in the error:

ERROR: Some error occurred while moving files during backup or restore to directory, “/opt/IBM/db2/<version>/.backup”. The return code is “4394967295”.

To resolve this apply the fixpack with the -f nobackup flag.

This file does not exist on Db2 versions prior to 11.1