IBM6A69ACF0EE1811481AE8E3F5E1758736876A6CCE84E1581A12FFCCD1B7CD4F30Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307)
EPSS
Percentile
85.4%
Summary
Apache Log4j is used by IBM WebSphere eXtreme Scale as part of remote logging functionality (CVE-2022-23307). The fix includes Apache Log4j v2.17.1.
Vulnerability Details
CVEID:CVE-2022-23307
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM WebSphere Extreme Scale | 8.6.1.0 - 8.6.1.5 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
Product| Version(s)|
APAR
|
Remediation/First Fix
â|â|â|â
IBM WebSphere eXtreme Scale| 8.6.1.0 - 8.6.1.5| PH44065|
For older versions, upgrade to latest fixpacks 8.6.1.4 or 8.6.1.5 and then apply the PH44065 iFix. If you are using 8.6.1.4 or 8.6.1.5 directly apply the PH44065 iFix.
Recommended Fixes page for WebSphere eXtreme Scale
Workarounds and Mitigations
IBM recommends addressing the vulnerability by executing the Remediation as detailed above.
If executing the Remediation is not possible, please review this information and take action to implement the Workaround.
- Remote logging is disabled by default.
- If remote logging has been enabled, disable it by referring to these pages for eXtremeScale and XSLD
Related
EPSS
Percentile
85.4%