Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Summary

There are multiple Apache Log4j (CVE-2021-45105, CVE-2021-45046) vulnerabilities impacting IBM InfoSphere Information Server which uses Apache Log4j for logging. The fix upgrades Apache Log4j to version 2.17.0.

Vulnerability Details

CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Note: Subsequently, it was determined that InfoSphere Information Server is not vulnerable to this vulnerability.

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Information Server 11.5 and 11.3 are affected. Both releases are past end of service.

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product

| VRMF |APAR|Remediation
—|—|—|—
InfoSphere Information Server, Information Server on Cloud | 11.7 | JR64446 | --Apply IBM InfoSphere Information Server version 11.7.1.0
--Apply IBM InfoSphere Information Server version 11.7.1.3
--Apply Information Server 11.7.1.3 Service pack 2
InfoSphere Information Server, Information Server on Cloud | 11.5 | JR64446 | --Upgrade to a fixed release
InfoSphere Information Server | 11.3 | JR64446 | --Upgrade to a fixed release

Note:

1. You should also apply the fix for other components (WebSphere Application Server, Db2, etc.) in your environment. See the Related information section for relevant bulletins; however, it is best to check the IBM PSIRT blog for any updated information from these components.

2. Information Server saves prior versions of jar files to facilitate patch rollbacks and uninstall of components:
a. In the Updates folder within your Information Server location, for each patch installed, a patch folder is created with the name of the patch. The patch folder contains copies of files that are replaced during the patch install. The patch folder name is based on the name of the patch which can be seen in the History section of your Version.xml. The files in this folder are used by the Update installer to roll back a patch installation; they are not needed while Information Server is used.
b. Each time the Update Installer is updated, the jar files used by the Update Installer that are changed, are saved in a new lib.<timestamp> folder within the Updates folder.
c. The _uninstall folder contains files that are only used while uninstalling Information Server components.

For Apache Log4j related patches, the prior vulnerable versions of Apache Log4j could be present within such folders.
If you want to remove such Apache Log4j files from the system, take a backup of such a folder and then purge the folder.

An appropriate backup of the patch folder must be restored before any subsequent patch rollback attempt.
Likewise, an appropriate backup of the files in _uninstall must be restored before any subsequent uninstall action.

3. The fix previously provided in <https://www.ibm.com/support/pages/node/6527372&gt; also fixes CVE-2021-45046.

4. Subsequently, it was determined that InfoSphere Information Server is not vulnerable to CVE-2021-45105.

5. (April 27, 2022) In some configurations (such as when the Services tier is separate), Service Pack 3 might not upgrade all files. For that situation, Service Pack 4 should be installed. You can check your Services tier to see whether any log4j jars with version older than 2.17.1 are present.

6. (October 14, 2022) Some open source components usage of log4j version 1 was addressed in Information Server 11.7.1.4.

Workarounds and Mitigations

CVE-2021-45105
None. However, InfoSphere Information Server is not vulnerable to this vulnerability.

CVE-2021-45046
Note:
1. Even though the vulnerability can be mitigated, we strongly recommend applying the fix on top of 11.7.1.3. ** 2. It is imperative that the mitigation or fix be applied as soon as possible.**
Use the mitigation steps provided in the Workarounds and Mitigations section of <https://www.ibm.com/support/pages/node/6527372&gt; to mitigate this issue. You do not have to repeat the steps.