Security check - CVE-2021-44228
Ivica Simic (51●7)
| asked Dec 11 '21, 10:34 a.m.
edited Dec 17 '21, 8:23 a.m. by Ralph Schoon (63.1k●3●36●46) Is CLM affected by this CVE-2021-44228, it scored 10. |
5 answers
David Honey (1.8k●1●7)
| answered Dec 17 '21, 9:37 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
The official status is described at https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/?_ga=2.50033510.1513919312.1639386197-2119267424.1628078537
Jazz developers, please do not make any statements regarding this - the information must only come from the official IBM PSIRT channels.
|
Please be aware before You will install any patches or make actions that 2.15 is affected as well. |
Ivica,
It seems that this issues is not relevant to all ELM Apps as the log4j used on the platform is 1.2 version and affected log4j is version =>2.
Only application that seems to be impacted is DNG that is using loggers in v2.
|
Ivica,
I suggest opening IBM PMR official way because none of software vendor wants to discuss security concerns on the public forums.
Based on the log4j documentation and issues that were discussed everywhere during the weekend the issue is more related the to Application Server and Java the IBM ELM is using.
As we did initial investigation for WAS it seems that adding Java Virtual Machine property called log4j.formatMsgNoLookups with true value is mitigating the problem.
Additionally, com.sun.jndi.ldap.object.trustURLCodebase should be set to false by the default.
Comments
Ivica Simic
commented Dec 12 '21, 12:32 p.m.
I posted here while waiting response on PMR. Thank you for your comments, I appreciate it.
Bartosz Chrabski
commented Dec 12 '21, 12:39 p.m.
I think a lot of people will do the same on Monday. especially those using cloud solution. 1
Thanks Bartosz,
apprechiate your contribution! Like so often. Thanks!!
1
Tadeusz Janasiewicz
commented Dec 13 '21, 2:33 a.m.
Hi Bartosz,
More details you can find here:
Best regards,
Tad |
Ralph Schoon (63.1k●3●36●46)
| answered Dec 11 '21, 2:58 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER edited Dec 11 '21, 3:00 p.m. IBM is actively monitoring this kind of stuff and is announcing security issues with products as soon as possible.
A forum like this forum is NOT a safe place to get this kind of information. I could answer there is no issue completely unaware what this is about.
ELM uses log4j, but I do not have the knowledge or the capability to answer if the server are affected. Apparently the attacker has to be able to create certain names that are then used in the logs. Not sure they can enforce that. Wait for the IBM CERT team to assess this.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.