Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA3752C1A8387F15196CA7D38FEBCF0DB0EFEE9BA80E9F901A057B44A5C47F353
HistoryDec 17, 2021 - 1:59 p.m.

Security Bulletin: IBM Kenexa LCMS Premier On Premise - Log4j - CVE-2021-4104 (Publicly disclosed vulnerability)

2021-12-1713:59:19
www.ibm.com
22

0.127 Low

EPSS

Percentile

95.5%

JSON

Summary

We have identified that the IBM Kenexa LCMS Premier is affected by one or more security vulnerabilities. These have been tested in LCMS Premier 13.x & 14.0 versions.

Vulnerability Details

CVEID:CVE-2021-4104
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Kenexa LCMS Premier on premise LCMS 14.0 and below

Remediation/Fixes

LCMS uses Log4j 1.x version and fix for this issue has been tested on IBM LCMS 13.x & 14.0 versions

Steps to Download from Fix Central

  • Log in to Fix Central (<https://www-945.ibm.com/support/fixcentral/&gt;)
  • Select "IBM Kenexa LCMS Premier” from the Product Selector dropdown
  • Select “14.0” from the Installed version dropdown
  • Select “Windows” from the Platform dropdown
  • Click “Continue”
  • Select "Browse for Fixes” and click “Continue”

Download log4jLcmsfix.zip and Extract the following 2 files:

  • libreplace.exe
  • log4j-core-2.15.0.jar

Steps to Follow:

Steps for deploying log4j fix:

1. Copy libreplace.exe and log4j-core-2.15.0.jar into a new directory, e.g. c:\log4jfix

2. Start a command-prompt as administrator

3. Change to new directory, e.g. cd /d c:\log4jfix

4. Stop all LCMS services

5. Execute command-line:

libreplace.exe “d:\lcms” log4j*.jar log4j-core-2.15.0.jar . CONFIRM

(“d:\lcms” represents your LCMS directory)

6. Notice log messages that look like “log4j(etc).jar is now identical to log4j-core-2.15.0.jar”; this confirms that changes have been made properly

7. Start LCMS services

OPTIONAL - to rollback changes(if needed):

1. Stop all LCMS services

2. Find the .log file in e.g. c:\log4jfix

3. Find every line that starts with “UNDO:”

4. Execute the OS command from command-line, which follows “UNDO:”

5. Start LCMS services

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm kenexa lcms premiereq14.0

Related

ibm 111
nessus 21
suse 4
oraclelinux 2
ubuntu 2
openvas 13
osv 6
gentoo 3
github 3
cloudlinux 1
redhat 4
kaspersky 1
centos 1
cnvd 1
prion 2
atlassian 2
debiancve 2
cvelist 2
nvd 2
veracode 1
ubuntucve 3
cve 2
f5 2
redhatcve 2
trellix 2
amazon 1
attackerkb 1
symantec 1
threatpost 1
ibm
ibm
Security Bulletin: Vulnerability in Apache Log4j affects IBM Tivoli Netcool Impact (CVE-2021-4104)
2021-12-22 15:17:36
Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager
2022-03-16 16:05:10
Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104)
2022-03-11 02:43:59
nessus
nessus
CentOS 7 : log4j (CESA-2021:5206)
2021-12-21 00:00:00
RHEL 7 : rh-maven36-log4j12 (RHSA-2021:5269)
2021-12-23 00:00:00
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
2021-12-15 00:00:00
suse
suse
Security update for log4j12 (important)
2021-12-24 00:00:00
Security update for kafka (important)
2021-12-28 00:00:00
Security update for log4j12 (important)
2021-12-17 00:00:00
oraclelinux
oraclelinux
log4j security update
2021-12-21 00:00:00
log4j security update
2022-01-26 00:00:00
ubuntu
ubuntu
Apache Log4j 1.2 vulnerability
2022-02-08 00:00:00
Apache Log4j 1.2 vulnerability
2022-01-12 00:00:00
openvas
openvas
CentOS: Security Advisory for log4j (CESA-2021:5206)
2022-01-11 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:14866-1)
2021-12-18 00:00:00
openSUSE: Security Advisory for log4j12 (openSUSE-SU-2021:1612-1)
2022-02-01 00:00:00
osv
osv
Using JMSAppender in log4j configuration may lead to deserialization of untrusted data
2021-12-17 20:42:38
apache-log4j1.2 vulnerability
2022-01-12 19:31:51
apache-log4j1.2 vulnerability
2022-02-08 21:01:33
gentoo
gentoo
Arduino: Remote Code Execution
2023-12-22 00:00:00
Minecraft Server: Remote Code Execution
2023-12-20 00:00:00
Ubiquiti UniFi: remote code execution via bundled log4j
2023-10-26 00:00:00
github
github
Using JMSAppender in log4j configuration may lead to deserialization of untrusted data
2021-12-17 20:42:38
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
2021-12-14 19:49:31
Deserialization of Untrusted Data in Log4j 1.x
2022-01-21 23:27:14
cloudlinux
cloudlinux
Fix of CVE: CVE-2021-4104
2022-01-17 14:23:20
redhat
redhat
(RHSA-2021:5206) Moderate: log4j security update
2021-12-20 08:38:19
(RHSA-2021:5269) Moderate: rh-maven36-log4j12 security update
2021-12-22 21:14:37
(RHSA-2021:5141) Critical: OpenShift Container Platform 4.6.52 security update
2021-12-16 07:44:46
kaspersky
kaspersky
KLA12407 RCE vulnerability in Apache Log4j
2021-12-14 00:00:00
centos
centos
log4j security update
2021-12-21 21:36:17
cnvd
cnvd
Apache Log4j Code Execution Vulnerability
2021-12-16 00:00:00
prion
prion
Deserialization of untrusted data
2022-01-18 16:15:00
Deserialization of untrusted data
2021-12-14 12:15:00
atlassian
atlassian
Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104
2022-03-07 08:14:14
Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104
2022-01-14 13:13:21
debiancve
debiancve
CVE-2021-4104
2021-12-14 12:15:12
CVE-2022-23302
2022-01-18 16:15:08
cvelist
cvelist
CVE-2021-4104 Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
2021-12-14 00:00:00
CVE-2022-23302 Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
2022-01-18 15:25:20
nvd
nvd
CVE-2022-23302
2022-01-18 16:15:08
CVE-2021-4104
2021-12-14 12:15:12
veracode
veracode
Deserialisation Of Untrusted Object
2021-12-15 13:38:24
ubuntucve
ubuntucve
CVE-2021-44228
2021-12-10 00:00:00
CVE-2022-23302
2022-01-18 00:00:00
CVE-2021-4104
2021-12-14 00:00:00
cve
cve
CVE-2022-23302
2022-01-18 16:15:08
CVE-2021-4104
2021-12-14 12:15:12
f5
f5
K59563964 : Apache Log4j Remote Code Execution vulnerability CVE-2022-23302
2022-01-31 00:00:00
K24554520 : Apache Log4j Remote Code Execution vulnerability CVE-2021-4104
2021-12-15 00:00:00
redhatcve
redhatcve
CVE-2021-4104
2022-05-07 14:29:21
CVE-2021-44228
2022-05-07 14:19:14
trellix
trellix
Log4shell Vulnerability is the Coal in Our Stocking for 2021
2022-01-19 00:00:00
Log4shell Vulnerability is the Coal in Our Stocking for 2021
2022-01-19 00:00:00
amazon
amazon
Important: log4j
2022-01-18 20:15:00
attackerkb
attackerkb
CVE-2021-44228 (Log4Shell)
2022-02-08 00:00:00
symantec
symantec
Symantec Security Advisory for Log4j Vulnerability
2021-12-11 01:06:47
threatpost
threatpost
Apache’s Fix for Log4Shell Can Lead to DoS Attacks
2021-12-15 14:04:19

0.127 Low

EPSS

Percentile

95.5%

JSON
Related for A3752C1A8387F15196CA7D38FEBCF0DB0EFEE9BA80E9F901A057B44A5C47F353
ibm111nessus21suse4oraclelinux2ubuntu2openvas13osv6gentoo3github3cloudlinux1redhat4kaspersky1centos1cnvd1prion2atlassian2debiancve2cvelist2nvd2veracode1ubuntucve3cve2f52redhatcve2trellix2amazon1attackerkb1symantec1threatpost1