Apache Log4j is used by IBM Cloud Pak for Data System 1.0 in openshift-logging. This bulletin provides a remediation for the Apache Log4j vulnerability (CVE-2021-44832).
CVEID:CVE-2021-44832
**DESCRIPTION:**Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Pak for Data System (ICPDS) 1.0 - Openshift Container Platform 3.11 | 1.0.0.0- 1.0.7.7 |
IBM strongly recommends addressing the vulnerability now by applying below patch.
Product | VRMF | Remediation / Fix |
---|
IBM Cloud Pak for Data System 1.0 - Openshift Container Platform 3.11
| 1.0.0.1-openshift-3.11.log4j-WS-ICPDS-fp140| Link to Fix Central
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak for data system | eq | any |