IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and is used for logging. Mitigation steps detailed below.
CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Sterling Global Mailbox (GM) | 6.0.3 to 6.1.1.0 |
Product Name/Version
|
Remediation & Fix
—|—
IBM Sterling Global Mailbox 6.0.3-6.1.1.0
|
Download IBM Sterling B2B Integrator IIM version 6.0.3.5_1, 6.1.0.4_1 , 6.1.1.0_1, 6.0.2.3._1 or 6.0.1.2_1 on Fix Central
Then apply the fix for global mailbox
IBM strongly recommends addressing the vulnerability now by executing these mitigation steps:
Steps to remove JndiLookup.class from log4j-core.jar :*
<PRE_REQ_INSTALL_LOCATION>/zookeeper/watchdog/lib
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Navigate to following two locations and run following command
** zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class**
<SI_INSTALL_LOCATION>/jar/dist-mbx/1_0/
<SI_INSTALL_LOCATION>/MailboxUtilities/admin/lib/
Steps to update the GM war file :
Stop GM (mailboxui) Liberty server
Navigate to <SI_INSTALL_LOCATION>/wlp/usr/servers/mailboxui/apps/
Take backup of existing com.ibm.mailbox.war file
Create a temporary folder and copy this war file to this folder. eg. /opt/temp.
Navigate to this temp folder - cd /opt/temp
Execute following set of commands -
i) <b2biinstall-Jdk-location>/bin/jar -xvf com.ibm.mailbox.war WEB-INF/lib/log4j-core-2.10.0.jar
ii) find ./ -type f -name “log4j-core-*.jar” -exec zip -q -d “{}” org/apache/logging/log4j/core/lookup/JndiLookup.class ;
iii) <b2biinstall-Jdk-location>/bin/jar -uvf com.ibm.mailbox.war WEB-INF/lib/log4j-core-2.10.0.jar
Copy this newly created file to /<SI_INSTALL_LOCATIONA>/wlp/usr/servers/mailboxui/apps/
Start GM (mailbox) Liberty server