Security Bulletin: IBM Watson Machine Learning Accelerator is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-4104, CVE-2021-44228, CVE-2021-45046)

2022-01-2101:34:55

www.ibm.com

0.975 High

EPSS

Percentile

100.0%

JSON

Summary

Apache Log4j (CVE-2021-45105, CVE-2021-4104, CVE-2021-44228, CVE-2021-45046) is used by IBM Watson Machine Learning Accelerator as part of its logging infrastructure. The fix includes Apache Log4j v2.17.1.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Machine Learning Accelerator	1.2.2; 1.2.3
IBM Watson Machine Learning Accelerator	2.2.0; 2.2.1
IBM Watson Machine Learning Accelerator	2.3.0; 2.3.1; 2.3.2; 2.3.3; 2.3.4

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Affected Product(s)	Version(s)	Remediation
IBM Watson Machine Learning Accelerator	1.2.2; 1.2.3	1.2.2 fix patch: wmla-1.2.2-build600973
1.2.3 fix patch: dli-1.2.3-build600964-wmla

IBM Watson Machine Learning Accelerator

| 2.2.0; 2.2.1| To address the vulnerabilities upgrade to IBM Watson Machine Learning Accelerator 2.2.2: <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning>
IBM Watson Machine Learning Accelerator| 2.3.0; 2.3.1; 2.3.2; 2.3.3; 2.3.4| To address the vulnerabilities upgrade to IBM Watson Machine Learning Accelerator 2.3.5: <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm watson machine learning acceleratoreq1.2.
ibm watson machine learning acceleratoreq2.2.
ibm watson machine learning acceleratoreq2.3.