Apache Log4j is used by IBM WebSphere eXtreme Scale as part of remote logging functionality (CVE-2022-23307). The fix includes Apache Log4j v2.17.1.
CVEID:CVE-2022-23307
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM WebSphere Extreme Scale | 8.6.1.0 - 8.6.1.5 |
IBM strongly recommends addressing the vulnerability now.
Product| Version(s)|
APAR
|
Remediation/First Fix
â|â|â|â
IBM WebSphere eXtreme Scale| 8.6.1.0 - 8.6.1.5| PH44065|
For older versions, upgrade to latest fixpacks 8.6.1.4 or 8.6.1.5 and then apply the PH44065 iFix. If you are using 8.6.1.4 or 8.6.1.5 directly apply the PH44065 iFix.
Recommended Fixes page for WebSphere eXtreme Scale
IBM recommends addressing the vulnerability by executing the Remediation as detailed above.
If executing the Remediation is not possible, please review this information and take action to implement the Workaround.