Security Bulletin: Sterling Order Management and vulnerability in Apache Log4j2 Library (CVE-2021-44228)

Abstract

Is Sterling Order Management affected by CVE-2021-44228?

Content

IBM is aware of a recently surfaced vulnerability CVE-2021-44228 in Apache log4j 2.0 to 2.14.1 and determined that some of Sterling Order Management components are impacted. Following is a summary of impacted OMS Components and associated mitigation plan.

Components

|

Current log4j Version

|

Impacted by CVE-2021-44228 ?

|

Immediate Mitigation Plan

|

Latest Status

—|—|—|—|—

Sterling Order Management SaaS, On-prem and Certified Containers (including Store Engagement & Call Center)

|

v1.x

|

No (The previous version in use was not impacted)

|

Upgraded to v2.17.1 on Mar 31st, 2022 (both SaaS and On-prem)

|

Sterling Order Management SaaS: Upgraded to v2.17.1 as part of 22.1 Minor Update 1

Sterling Order Management On-prem: Upgraded to v.2.17.1 as part of Fix Pack 30

Inventory Visibility

Microservice

|

v2.14.0

|

Yes

|

Upgraded to v2.15.0 on Dec 13th, 2021

|

Upgraded to v2.17.0 on Jan 13th, 2022.

Promising

Microservice

|

v2.13.3

|

Yes

|

Upgraded to v2.15.0 on Dec 13th, 2021

|

Upgraded to v2.17.0 on Jan 13th, 2022.

OMS Data Exchange Service

|

v2.11.1

|

Yes

|

Upgraded to v2.15.0 on Dec 13th, 2021

|

Upgraded to v2.17.0 on Jan 12th, 2022.

Store Inventory Management

Microservice

|

v2.13.1

|

Yes

|

Upgraded to v2.15.0 on Dec 14th, 2021

|

Upgraded to v2.17.0 on Jan 12th, 2022.

Order Hub

|

v2.13.1

|

Yes

|

Upgraded to v2.15.0 on Dec 14th, 2021

|

Upgraded to v2.17.0 on Jan 13th, 2022.

Sterling Fulfillment Optimizer ( SFO)

|

v2.14.0

|

Yes

|

Upgraded to v2.15.0 on Dec 14th, 2021

|

Upgraded to v2.17.0 on Jan 13th, 2022.

CPQ: Omni- Configurator and VM

|

v2.14.0 (v10)

v1.x (v9.5)

|

v10 - Yes

v9.5 - No

|

Upgraded to v2.15.0 as part of VMOC FP23 released on Dec 15th, 2021.

|

Upgraded to v2.17.0 as part of VMOC FP24 released on Jan 7th, 2022.

CPQ: Field Sales Application

|

v1.x

|

No (The current version in use is not impacted)

|

NA

|

As a part of the standard stack upkeep policy, IBM will upgrade the log4j version to v2.17.0 (or higher) by 1H 2022.
NOTE: The latest Fix Pack will be required to obtain this upgrade.

Note:

1. For any underlying software/middleware used in your implementation, please work with the respective vendors to understand the impact and next steps.

2. Log4j v2.15 sets log4j2.formatMsgNoLookups to true by default and thereby resolves CVE-2021-44228 completely.

Log4j has released version v2.16, which contains 2 additional improvements on top of v2.15 changes.

(1) disables JNDI by default

(2) removes support for Lookups in messages.

Related Information

CVE-2021-44228 - Debian

CVE-2021-44228 - mitre.org

CVE-2021-44228 - National Vulnerability Database

CVE-2021-44228 - GitHub Advisory Database

Comments on the CVE-2021-44228 vulnerability

Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application …

Does IBM MQ ship Apache Log4J?

Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an i…

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® …

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-4…

[{“Type”:“MASTER”,“Line of Business”:{“code”:“LOB59”,“label”:“Sustainability Software”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Product”:{“code”:“SS6PEW”,“label”:“Sterling Order Management”},“ARM Category”:[{“code”:“a8m0z000000cy00AAA”,“label”:“Orders”}],“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”}]