There are vulnerabilities in the version of Apache Log4j that is used by IBM Data Virtualization on Cloud Pak for Data (CVE-2021-45046 and CVE-2021-45105) which is used for logging. The fix includes Apache Log4j 2.17.1.
CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s)|**DV Version(s)
**|
CPD****Version(s)
—|—|—
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.3.0| 2.5.0
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.4.1| 3.0.1
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.5.0|
3.5,
3.5 Refresh 1 - 9
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.1 - 1.7.3| 4.0 Refresh 1 - 3
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.3| 4.0 Refresh 4
IBM strongly recommends addressing the vulnerability now.
Affected Product(s) | **DV Version(s) ** | **CPD Version(s) ** | Fixes |
---|---|---|---|
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.3.0 | 2.5.0 |
Upgrade to version 1.5.0 patch version 1.5.0.0-270 (DV) /
3.5 Refresh 10 (CPD)
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.4.1| 3.0.1|
Upgrade to version 1.5.0 patch version 1.5.0.0-270 (DV) /
3.5 Refresh 10 (CPD)
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.5.0|
3.5,
3.5 Refresh 1 - 9
|
Apply patch version 1.5.0.0-270 (DV) /
3.5 Refresh 10 (CPD)
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.1 - 1.7.3| 4.0 Refresh 1 - 3|
Update to version 1.7.5 (DV) /
4.0 Refresh 5 (CPD)
IBM Data Virtualization(DV) on Cloud Pak for Data(CPD)| 1.7.3| 4.0 Refresh 4|
Update to version 1.7.5 (DV) /
4.0 Refresh 5 (CPD)
You must update the Cloud Pak for Data platform to version 4.0 Refresh 5 to install the fix for Data Virtualization.
To update Cloud Pak for Data platform to 4.0 Refresh 5, see the following links:
The following procedure covers the steps after installing the fix for Data Virtualization.
1. Log in to the Data Virtualization head pod.
oc rsh c-db2u-dv-db2u-0
2. Switch to the db2inst1 user.
su - db2inst1
3. Remove unnecessary JAR files.
rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.15.0.jar /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.15.0.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-api-2.15.0.jar /mnt/bludata0/dv/versioned/pre_migration/sqllib/datavirtualization/dvm_driver/log4j-core-2.15.0.jar
${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.8.2.jar"
${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.8.2.jar"
${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-api-2.15.0.jar"
${BIGSQL_CLI_DIR}/BIGSQL/package/scripts/bigsqlPexec.sh -w -c "rm -rf /mnt/blumeta0/home/db2inst1/sqllib/datavirtualization/dvm_driver/log4j-core-2.15.0.jar"
4. Remove unnecessary ZIP and TAR files.
rm -rf /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7*.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config/DATAVIRTUALIZATION_ENDPOINT_V1.7*.zip
5. Copy the latest TAR file.
cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.5_*.tar.gz /mnt/PV/versioned/uc_dsserver_shared/config
6. Copy the latest ZIP file.
cp /opt/ibm/qp_artifacts/archives/DATAVIRTUALIZATION_ENDPOINT_V1.7.5_*.zip /mnt/PV/versioned/uc_dsserver_shared/config
1. Wait for the Data Virtualization hurricane pod to start up successfully.
2. Run the following commands to restart the Data Virtualization head and worker pods:
current_replicas=$(oc get sts c-db2u-dv-db2u -o jsonpath="{.spec.replicas}"); oc scale sts c-db2u-dv-db2u --replicas=0; sleep 3m; oc scale sts c-db2u-dv-db2u --replicas=$current_replicas
3. If you see the following error message, restart the Data Virtualization hurricane pod and then repeat step 2. b)
ERR api/pkg/cli/sideload/load.go:73 error="file is the wrong size: 154274816, expected: 154143232\n"
Note:
_If you run a security vulnerability scanning tool on the Docker images, you might find that some of the affected packages at the affected version are still present on it. _
Those packages have been modified according to guidance provided by the Apache Log4j development team so that they are no longer vulnerable.
None