Multiple vulnerabilities were identified within the Apache Log4j library (CVE-2021-45046, CVE-2021-45105) that is used by Netcool Operations Insight to provide logging functionality.
CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
Netcool Operations Insight | 1.4 |
Netcool Operations Insight | 1.5 |
Netcool Operations Insight | 1.6 |
IBM strongly recommends addressing the vulnerabilities now.
Please take careful inventory of components downloaded at any time and be sure to apply the remediations for any component that may have been installed whether or not it is currently in use.
To address the recent Apache Log4j vulnerabilities, all installed components must upgraded.
Redhat Openshift Platform
If you are on a version between 1.4 and 1.6.2 move to IBM Netcool Operations Insight V1.6.3 on Red Hat OpenShift.
Install the recommended fix v1.6.3.2 as per
<https://www.ibm.com/support/pages/node/6527810>
The fix includes Apache Log4j 2.17.1.
Traditional On Premise
|
|
—|—|—
On Premise Component Product|IBM Netcool Operations Insight Version(s)| Remediation Steps
IBM Netcool Agile Service Manager
|
1.4-1.6
|
This includes Apache Log4j 2.17.1.
IBM Cognos Analytics
|
1.6
|
Please see steps for Bundled Customers in the Remediation section of Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832)
This includes Apache Log4j 2.17.1.
IBM Db2
|
1.4-1.6
|
This includes Apache Log4j 2.17.0.
IBM Jazz for Service Management| 1.4-1.6|
This includes Apache Log4j 2.17.0.
A further update is available
This includes Apache Log4j 2.17.1.
IBM Tivoli Netcool Impact| 1.4-1.6|
This includes Apache Log4j 2.17.0.
A further update is available
This includes Apache Log4j 2.17.1.
IBM Netcool/Omnibus| 1.4-1.6|
This includes Apache Log4j 2.17.1.
IBM Tivoli Netcool/OMNIbus Probes and Gateways| 1.4-1.6|
See Netcool/OMINbus Integrations Release Notice - Transport Module Common Integration Library
and
Netcool/OMNIbus Integrations Release Notice - Java Netcool Utility Library
These include Apache Log4j 2.17.1.
IBM Tivoli Netcool/OMNIbus Web GUI
|
1.4-1.6
|
This includes Apache Log4j 2.17.1.
IBM Network Performance Insight
|
1.6.0-1.6.2
|
There is an interim fix available on FixCentral at (1.3.1.0-TIV-NPI-IF0005)
This includes Apache Log4j 2.17.0.
IBM Operations Analytics - Log Analysis
|
1.4-1.6
|
If Apache Log4j CVE-2021-44228 has already been addressed by executing the steps documented in the bulletin above, they do not have to be duplicated.
This includes Apache Log4j 2.17.0.
IBM Operations Analytics - Predictive Insights| 1.4-1.6|
This includes Apache Log4j 2.17.1.
IBM Tivoli Business Service Manager (TBSM)| 1.4-1.6|
For IBM Tivoli Netcool Impact:
This includes Apache Log4j 2.17.0.
A further update is available
This includes Apache Log4j 2.17.1.
For Websphere Application Server:
This removes Apache Log4j from IBM Websphere Application Server.
If Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 have already been addressed by executing the steps documented in the bulletins above relating to those components, they do not have to be duplicated.
IBM Tivoli Netcool Configuration Manager| 1.4-1.6|
For Websphere Application Server:
This removes Apache Log4j from IBM Websphere Application Server.
If Apache Log4j CVE-2021-45105 and CVE-2021-44832 have already been addressed by executing the steps documented in the bulletin above relating to the component, they do not have to be duplicated.
IBM Tivoli Network Manager IP Edition| 1.4-1.6|
See Interim Fix 4.2.0.14-TIV-ITNMIP-LinuxAll-IF1
and follow instructions in ReadMe to remediate.
This includes Apache Log4j 2.17.1.
IBM WebSphere Application Server| 1.4-1.6|
This removes Apache Log4j from IBM Websphere Application Server.
Redhat Openshift Platform
None.
Traditional On Premise
None except as described in the individual on premise component security bulletins in the Remediation/Fixes table above.
CPE | Name | Operator | Version |
---|---|---|---|
netcool operations insight | eq | 1.6.3.2 |