Vulnerabilities in Apache Log4j affect the logging infrastructure in the ATNAAudit node and the XDSConsumer pattern in IBM App Connect for Healthcare. IBM App Connect for Healthcare have addressed these vulnerabilities, the fix includes Apache Log4j 2.17.1
CVEID:CVE-2022-23302
**DESCRIPTION:**Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
IBM App Connect for Healthcare 5.0.0.0
IBM App Connect for Healthcare 5.0.0.1
IBM App Connect for Healthcare 6.0.1.0
IBM strongly recommends addressing the vulnerability now by applying the patches listed in this table. Product | VRMF | APAR | Remediation/Fixes |
---|---|---|---|
IBM App Connect for Healthcare | 5.0.0.1 | IT39653 |
Interim fix for APAR (IT39653 ) is available from
IBM App Connect for Healthcare| 6.0.1.0| IT39653|
Interim fix for APAR (IT39653 ) is available from
As detailed above in the Remediation / Fixes Section.