Lucene search
IBMFFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777DHistoryJan 07, 2022 - 8:05 p.m.
Security Bulletin: Financial Transaction Manager is affected by a vulnerability in Apache log4j (CVE-2021-44228)
2022-01-0720:05:45
www.ibm.com
10
0.976 High
EPSS
Percentile
100.0%
Summary
A vulnerability was identified within the Apache Log4j library that is used by IBM Financial Transaction Manager to provide logging functionality. This vulnerability has been addressed.
Vulnerability Details
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Affected Version |
|---|---|
| Financial Transaction Manager for ACH Services and Check Services | 3.0.5.5 fix 1 |
| Financial Transaction Manager for Digital Payments (DP) | 3.2.3.0 ifix 2 |
| Financial Transaction Manager for Corporate Payment Services (CPS) | 3.2.4.0 ifix 2 |
| Financial Transaction Manager for Corporate Payment Services (CPS) | 3.2.4.0 ifix 6 |
| Financial Transaction Manager for Corporate Payment Services (CPS) | 3.2.4.0 ifix 9 |
| Financial Transaction Manager for Digital Payments (DP) | 3.2.4.0 ifix 6 |
| Financial Transaction Manager for Digital Payments (DP) | 3.2.5.0 ifix 3 |
| Financial Transaction Manager for Digital Payments (DP) | 3.2.6.1 ifix 4 |
| Financial Transaction Manager for Digital Payments (DP) | 3.2.7.0 ifix 1 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by applying the following interim fix for your release:
Note: See the section ‘Related Information’ below for dependencies.
| Affected Product(s) | Resolved by VRMF | Issue | Fix download link |
|---|---|---|---|
| Financial Transaction Manager for ACH Services and Check Services 3.0.5.5 fix 1 | 3.0.5.5 ifix 2 | 131419 | 3.0.5.5 ifix 2 |
| Financial Transaction Manager for Digital Payments (DP) 3.2.3.0 ifix 2 | 3.2.3.0 ifix 2.1 | 131419 | 3.2.3.0 ifix 2.1 (DP) |
| Financial Transaction Manager for Corporate Payment Services (CPS) 3.2.4.0 ifix 2 | 3.2.4.0 ifix 2.1 | 131419 | 3.2.4.0 ifix 2.1 (CPS) |
| Financial Transaction Manager for Corporate Payment Services (CPS) 3.2.4.0 ifix 6 | 3.2.4.0 ifix 6.1 | 131419 | 3.2.4.0 ifix 6.1 (CPS) |
| Financial Transaction Manager for Digital Payments (DP) 3.2.4.0 ifix 6 | 3.2.4.0 ifix 6.1 | 131419 | 3.2.4.0 ifix 6.1 (DP) |
| Financial Transaction Manager for Corporate Payment Services (CPS) 3.2.4.0 ifix 9 | 3.2.4.0 ifix 9.1 | 131419 | 3.2.4.0 ifix 9.1 (CPS) |
| Financial Transaction Manager for Digital Payments (DP) 3.2.5.0 ifix 3 | 3.2.5.0 ifix 3.1 | 131419 | 3.2.5.0 ifix 3.1 (DP) |
| Financial Transaction Manager for Digital Payments (DP) 3.2.6.1 ifix 4 | 3.2.6.1 ifix 4.1 | 131419 | 3.2.6.1 ifix 4.1 (DP) |
| Financial Transaction Manager for Digital Payments (DP) 3.2.7.0 ifix 1 | 3.2.7.0 ifix 1.1 | 131419 | 3.2.7.0 ifix 1.1 (DP) |
Workarounds and Mitigations
None
Related
ibm
ibm
thn
thn
Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations
2022-08-27 03:23:00
Last Years Open Source - Tomorrow's Vulnerabilities
2022-11-01 12:04:00
NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon
2022-01-08 07:04:00
hivepro
hivepro
Monti ransomware infiltrates networks via the well-known Log4Shell
2022-09-16 10:51:13
Iranian hackers leveraged Log4Shell to penetrate US federal agency
2022-11-17 12:28:57
github
github
Apache Log4j Remote Code Execution
2021-12-14 21:07:14
osv
osv
apache-log4j2 - security update
2021-12-12 00:00:00
apache-log4j2 vulnerability
2021-12-17 12:46:46
apache-log4j2 vulnerability
2021-12-14 13:39:20
githubexploit
githubexploit
Exploit for Improper Input Validation in Apache Log4J
2023-10-25 19:27:00
Exploit for Deserialization of Untrusted Data in Apache Log4J
2023-07-19 18:18:16
Exploit for Deserialization of Untrusted Data in Apache Log4J
2024-06-09 02:49:42
trellix
trellix
Log4J and The Memory That Knew Too Much
2022-01-19 00:00:00
Log4J and The Memory That Knew Too Much
2022-01-19 00:00:00
openvas
openvas
Fedora: Security Advisory for log4j (FEDORA-2021-66d6c484f3)
2021-12-23 00:00:00
Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Active Check
2021-12-20 00:00:00
Mageia: Security Advisory (MGASA-2021-0556)
2022-01-28 00:00:00
nvd
nvd
CVE-2021-44228
2021-12-10 10:15:09
nessus
nessus
suse
suse
Security update for log4j (important)
2021-12-12 00:00:00
ubuntu
ubuntu
Apache Log4j 2 vulnerability
2021-12-17 00:00:00
threatpost
threatpost
Conti Ransomware Gang Has Full Log4Shell Attack Chain
2021-12-20 22:11:30
FTC to Go After Companies that Ignore Log4j
2022-01-05 19:00:03
The Log4j Vulnerability Puts Pressure on the Security World
2022-01-18 20:21:04
fedora
fedora
[SECURITY] Fedora 34 Update: jansi-2.1.1-4.fc34
2021-12-22 01:14:26
[SECURITY] Fedora 34 Update: log4j-2.16.0-1.fc34
2021-12-22 01:14:26
hackerone
hackerone
U.S. Dept Of Defense: Log4Shell: RCE 0-day exploit on █████████
2021-12-16 18:32:13
U.S. Dept Of Defense: ███ ████████ running a vulnerable log4j
2021-12-31 00:55:49
U.S. Dept Of Defense: ██████████ running a vulnerable log4j
2021-12-11 00:16:38
rapid7blog
rapid7blog
Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List
2022-01-14 14:46:41
Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal
2022-02-17 18:00:00
Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
2021-12-14 21:05:17
cisa
cisa
Ivanti Updates Log4j Advisory with Security Updates for Multiple Products
2022-01-14 00:00:00
mmpc
mmpc
Build a stronger cybersecurity team through diversity and training
2022-01-20 17:00:00
kitploit
kitploit
freebsd
freebsd
graylog -- include log4j patches
2021-12-10 00:00:00
packetstorm
packetstorm
Apache Log4j2 2.14.1 Information Disclosure
2021-12-14 00:00:00
UniFi Network Application Unauthenticated Log4Shell Remote Code Execution
2022-01-24 00:00:00
Intel Data Center Manager 5.1 Local Privilege Escalation
2022-12-09 00:00:00
metasploit
metasploit
Log4Shell HTTP Header Injection
2021-12-29 14:10:07
zdt
zdt
wallarmlab
wallarmlab
Log4j 0day mitigation update CVE-2021-44228
2021-12-10 20:56:40
Update on Log4Shell (CVE-2021-44228)
2021-12-10 20:22:36
akamaiblog
akamaiblog
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
2021-12-17 19:30:00
kaspersky
kaspersky
KLA12390 RCE vulnerability in Apache Log4j
2021-12-10 00:00:00
KLA12392 RCE vulnerability in Microsoft Azure
2021-12-16 00:00:00
qualysblog
qualysblog
Log4Shell – Follow This Multi-Layered Approach for Detection and Remediation
2021-12-28 18:00:00
impervablog
impervablog
Analytics Are Essential for Effective Database Security
2022-01-13 15:23:02
cisa_kev
cisa_kev
Apache Log4j2 Remote Code Execution Vulnerability
2021-12-10 00:00:00
msrc
msrc
CVE-2021-44228 Apache Log4j 2 に対するマイクロソフトの対応
2021-12-12 08:00:00
talosblog
talosblog
How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity
2024-02-21 13:54:48
0.976 High
EPSS
Percentile
100.0%
Related for FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D