It's all about the answers!

Ask a question

Security check - CVE-2021-44228

Ivica Simic (513) | asked Dec 11 '21, 10:34 a.m.
edited Dec 17 '21, 8:23 a.m. by Ralph Schoon (60.5k33643)

 Is CLM affected by this CVE-2021-44228, it scored 10.

5 answers

permanent link
Ralph Schoon (60.5k33643) | answered Dec 11 '21, 2:58 p.m.
edited Dec 11 '21, 3:00 p.m.

 IBM is actively monitoring this kind of stuff and is announcing security issues with products as soon as possible.

A forum like this forum is NOT a safe place to get this kind of information. I could answer there is no issue completely unaware what this is about.

ELM uses log4j, but I do not have the knowledge or the capability to answer if the server are affected. Apparently the attacker has to be able to create certain names that are then used in the logs. Not sure they can enforce that. Wait for the IBM CERT team to assess this. 

permanent link
Bartosz Chrabski (3.3k12141) | answered Dec 12 '21, 10:17 a.m.
edited Dec 12 '21, 10:17 a.m.

I suggest opening IBM PMR official way because none of software vendor wants to discuss security concerns on the public forums.

Based on the log4j documentation and issues that were discussed everywhere during the weekend the issue is more related the to Application Server and Java the IBM ELM is using.

As we did initial investigation for WAS it seems that adding Java Virtual Machine property called log4j.formatMsgNoLookups with true value is mitigating the problem.

Additionally, com.sun.jndi.ldap.object.trustURLCodebase should be set to false by the default.

Ivica Simic commented Dec 12 '21, 12:32 p.m.

I posted here while waiting response on PMR. Thank you for your comments, I appreciate it. 

Bartosz Chrabski commented Dec 12 '21, 12:39 p.m.

I think a lot of people will do the same on Monday. especially those using cloud solution. 

Ralph Schoon commented Dec 12 '21, 1:17 p.m.

Thanks Bartosz,

apprechiate your contribution! Like so often. Thanks!! 

Tadeusz Janasiewicz commented Dec 13 '21, 2:33 a.m.

Hi Bartosz, 

More details you can find here:

Best regards,

permanent link
Bartosz Chrabski (3.3k12141) | answered Dec 13 '21, 4:52 a.m.
edited Dec 17 '21, 8:20 a.m.

It seems that this issues is not relevant to all ELM  Apps as the log4j used on the platform is 1.2 version and affected log4j is version =>2.

Only application that seems to be impacted is DNG that is using loggers in v2.

permanent link
Bartosz Chrabski (3.3k12141) | answered Dec 17 '21, 8:21 a.m.

 Please be aware before You will install any patches or make actions that 2.15 is affected as well.

permanent link
David Honey (7606) | answered Dec 17 '21, 9:37 a.m.

Jazz developers, please do not make any statements regarding this - the information must only come from the official IBM PSIRT channels.

Your answer

Register or to post your answer.