Security Bulletin: Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464)

Summary

log4j-1.2.16.jar is vulnerable and it is shipped in Log Analysis. The fix includes Apache Log4j core 2.17.1

Vulnerability Details

CVEID:CVE-2023-26464
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by a flaw when using the Chainsaw or SocketAppender components. By sending a specially crafted hashmap or hashtable, a remote attacker could exploit this vulnerability to exhaust available memory in the virtual machine, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249785 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

If current Log Analysis version is older than version 1.3.7.2, upgrade to Log Analysis version 1.3.7 Fix Pack 2 and apply 1.3.x Log4j Interim Fix 1 (Solr) fix. Download 1.3.7-TIV-IOALA-FP2 and 1.3.x-TIV-IOALA-IF1-Log4j-solr

For Log Analysis version 1.3.7.2, apply 1.3.x Log4j Interim Fix 1 (Solr) fix. Download 1.3.x-TIV-IOALA-IF1-Log4j-solr

For user of Logstash, apply 1.3.x Log4j Interim Fix 2 (Logstash) fix. Download 1.3.x-TIV-IOALA-IF2-Log4j-LS

Workarounds and Mitigations

None