Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0
HistoryJan 29, 2022 - 12:31 a.m.

Security Bulletin: IBM Data Virtualization on Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) due to Apache Log4j

2022-01-2900:31:33
www.ibm.com
30

0.976 High

EPSS

Percentile

100.0%

JSON

Summary

There are vulnerabilities in the version of Apache Log4j that is used by IBM Data Virtualization on Cloud Pak for Data (CVE-2021-45046 and CVE-2021-45105) which is used for logging. The fix includes Apache Log4j 2.17.1.

Vulnerability Details

CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)|**DV Version(s)
**|

CPD****Version(s)

—|—|—
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.3.0| 2.5.0
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.4.1| 3.0.1
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.5.0|

3.5,

3.5 Refresh 1 - 9

IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.1 - 1.7.3| 4.0 Refresh 1 - 3
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.3| 4.0 Refresh 4

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Affected Product(s) **DV Version(s) ** **CPD Version(s) ** Fixes
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) 1.3.0 2.5.0

Upgrade to version 1.5.0 patch version 1.5.0.0-270 (DV) /

3.5 Refresh 10 (CPD)

IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.4.1| 3.0.1|

Upgrade to version 1.5.0 patch version 1.5.0.0-270 (DV) /

3.5 Refresh 10 (CPD)

IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.5.0|

3.5,

3.5 Refresh 1 - 9

|

Apply patch version 1.5.0.0-270 (DV) /

3.5 Refresh 10 (CPD)

IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.1 - 1.7.3| 4.0 Refresh 1 - 3|

Update to version 1.7.5 (DV) /

4.0 Refresh 5 (CPD)

IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.3| 4.0 Refresh 4|

Update to version 1.7.5 (DV) /

4.0 Refresh 5 (CPD)

You must update the Cloud Pak for Data platform to version 4.0 Refresh 5 to install the fix for Data Virtualization.

To update Cloud Pak for Data platform to 4.0 Refresh 5, see the following links:

The following procedure covers the steps after installing the fix for Data Virtualization.

  1. Run the following steps from the Data Virtualization head pod to manually remove unnecessary files from your updated Data Virtualization instance. These include files that contained old log4j binaries. Not all of the files might be present if you previously installed other log4j fixes.
1. Log in to the Data Virtualization head pod. 
    
            oc rsh c-db2u-dv-db2u-0

2. Switch to the db2inst1 user. 
    
            su - db2inst1

3. Remove unnecessary JAR files. 
    
            rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.15.0.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.15.0.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-api-2.15.0.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-core-2.15.0.jar
      
    ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar"
    
    ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar"
    
    ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.15.0.jar"
    
    ${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.15.0.jar"

4. Remove unnecessary ZIP and TAR files. 
    
            rm -rf /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7*.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7*.zip

5. Copy the latest TAR file. 
    
            cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.5_*.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config

6. Copy the latest ZIP file. 
    
            cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.5_*.zip /mnt/PV/versioned/uc_dsserver_shared/config
  1. Complete the following steps to manually restart head and worker pods to complete applying the fix. This manual restart can be performed by running the following command:
1. Wait for the Data Virtualization hurricane pod to start up successfully.
2. Run the following commands to restart the Data Virtualization head and worker pods: 
    
            current_replicas=$(oc get sts c-db2u-dv-db2u -o jsonpath="{.spec.replicas}"); oc scale sts c-db2u-dv-db2u --replicas=0; sleep 3m; oc scale sts c-db2u-dv-db2u --replicas=$current_replicas

3. If you see the following error message, restart the Data Virtualization hurricane pod and then repeat step 2. b) 
    
            ERR api/pkg/cli/sideload/load.go:73 error="file is the wrong size: 154274816, expected: 154143232\n"
  1. Data Virtualization is now ready to use.

Note:

_If you run a security vulnerability scanning tool on the Docker images, you might find that some of the affected packages at the affected version are still present on it. _

Those packages have been modified according to guidance provided by the Apache Log4j development team so that they are no longer vulnerable.

Workarounds and Mitigations

None

Related

ibm 135
fedora 2
avleonov 1
githubexploit 5
cisa 1
thn 2
nvidia 1
threatpost 1
qualysblog 3
securelist 2
openvas 15
ics 1
redhat 8
paloalto 1
citrix 1
nessus 6
github 2
osv 1
redos 1
cisco 1
nuclei 1
fortinet 1
talosblog 1
amazon 1
checkpoint_advisories 1
vmware 1
impervablog 1
redhatcve 1
attackerkb 1
ibm
ibm
Security Bulletin: IBM Business Automation Workflow is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046)
2022-01-13 07:04:20
Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046)
2021-12-27 17:59:18
Security Bulletin: Vulnerability in Apache Log4j affects IBM Event Streams (CVE-2021-45105, CVE-2021-45046)
2021-12-24 15:57:25
fedora
fedora
[SECURITY] Fedora 34 Update: log4j-2.17.0-1.fc34
2021-12-27 00:56:30
[SECURITY] Fedora 35 Update: log4j-2.17.0-1.fc35
2021-12-27 00:41:40
avleonov
avleonov
Log4j “Log4Shell” RCE explained (CVE-2021-44228)
2021-12-26 22:07:17
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-15 11:34:02
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-13 06:09:04
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-17 10:36:16
cisa
cisa
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
2021-12-22 00:00:00
thn
thn
Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
2021-12-18 10:09:00
New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability
2021-12-18 12:18:00
nvidia
nvidia
Security Notice: NVIDIA Response to Log4j Vulnerabilities - December 2021
2021-12-13 00:00:00
threatpost
threatpost
Third Log4J Bug Can Trigger DoS; Apache Issues Patch
2021-12-20 16:01:57
qualysblog
qualysblog
How to Discover Log4Shell Vulnerabilities in Running Containers & Images
2021-12-27 19:39:34
CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the Wild (Log4Shell)
2021-12-10 19:30:11
New Options Profiles for Log4Shell Detection
2021-12-20 17:33:11
securelist
securelist
Answering Log4Shell-related questions
2021-12-20 15:45:30
CVE-2021-44228 vulnerability in Apache Log4j library
2021-12-13 14:10:21
openvas
openvas
Elastic Logstash Multiple Log4j Vulnerabilities (Dec 2021)
2021-12-20 00:00:00
Elastic Elasticsearch Multiple Log4j Vulnerabilities (Dec 2021)
2021-12-20 00:00:00
Fedora: Security Advisory for log4j (FEDORA-2021-5c9d12a93e)
2021-12-27 00:00:00
ics
ics
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
2021-12-23 12:00:00
redhat
redhat
(RHSA-2022:0222) Moderate: Red Hat Integration Camel Extensions for Quarkus 2.2 security update
2022-01-20 18:50:57
(RHSA-2022:0223) Moderate: Red Hat Integration Camel-K 1.6.3 release and security update
2022-01-20 18:51:49
(RHSA-2022:0216) Low: Red Hat JBoss Enterprise Application Platform 7.4 security update
2022-01-20 15:56:27
paloalto
paloalto
Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832
2021-12-10 21:45:00
citrix
citrix
Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.
2021-12-11 17:15:50
nessus
nessus
Amazon Linux 2022 : log4j (ALAS2022-2022-225)
2022-12-09 00:00:00
FreeBSD : graylog -- remote code execution in log4j from user-controlled log input (650734b2-7665-4170-9a0a-eeced5e10a5e)
2021-12-21 00:00:00
Ubuntu 20.04 LTS : Apache Log4j 2 vulnerability (USN-5197-1)
2021-12-15 00:00:00
github
github
GitHub’s response to Log4j vulnerability CVE-2021-44228
2021-12-13 19:06:34
Security Advisory for "Log4Shell"
2022-01-21 23:25:04
osv
osv
Security Advisory for "Log4Shell"
2022-01-21 23:25:04
redos
redos
ROS-20211223-01
2021-12-23 00:00:00
cisco
cisco
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
2021-12-10 18:45:00
nuclei
nuclei
Apache Log4j2 - Remote Code Injection
2021-12-23 15:41:50
fortinet
fortinet
Apache log4j2 log messages substitution (CVE-2021-44228)
2021-12-12 00:00:00
talosblog
talosblog
Quarterly Report: Incident Response Trends in Q2 2022
2022-07-26 14:03:00
amazon
amazon
Critical: java-1.8.0-openjdk, java-1.7.0-openjdk, java-1.6.0-openjdk
2021-12-17 17:39:00
checkpoint_advisories
checkpoint_advisories
Apache Log4j Remote Code Execution (CVE-2021-44228; CVE-2021-45046)
2021-12-10 00:00:00
vmware
vmware
VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046)
2021-12-10 00:00:00
impervablog
impervablog
Why Attackers Target the Gaming Industry
2023-05-30 11:47:27
redhatcve
redhatcve
CVE-2021-45105
2022-04-30 13:07:43
attackerkb
attackerkb
CVE-2021-45046
2021-12-14 00:00:00

0.976 High

EPSS

Percentile

100.0%

JSON
Related for 185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0
ibm135fedora2avleonov1githubexploit5cisa1thn2nvidia1threatpost1qualysblog3securelist2openvas15ics1redhat8paloalto1citrix1nessus6github2osv1redos1cisco1nuclei1fortinet1talosblog1amazon1checkpoint_advisories1vmware1impervablog1redhatcve1attackerkb1