Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4256.2
Security Bulletin: Vulnerability in Apache Log4j affects
some features of IBM® Db2® (CVE-2021-44228)
10 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM DB2
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2021-44228
Reference: ASB-2021.0244.3
ESB-2021.4186.3
Original Bulletin:
https://www.ibm.com/support/pages/node/6526462
Comment: CVSS (Max): 10.0 CVE-2021-44228 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Revision History: June 10 2022: Updated related links for other Log4j bulletins.
December 15 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in Apache Log4j affects some features of IBM® Db2®
(CVE-2021-44228)
Document Information
Document number : 6526462
Modified date : 06 June 2022
Product : DB2 for Linux- UNIX and Windows
Software version : 11.5
Operating system(s): AIX
Linux
Windows
Summary
Apache Log4j open source library used by IBM Db2 is affected by a vulnerability
that could allow a remote attacker to execute arbitrary code on the system.
This library is used by the Db2 Federation feature. The fix for the
vulnerability is to update the log4j library. Please see CVE-2021-4104 for
bulletin relating to Log4j V1. Please see CVE-2021-44832, CVE-2021-45046 and
CVE-2021-45105 for bulletins relating to Log4j V2. Updating log4j to a version
2.15.0 or higher also addresses CVE-2021-4104.
Vulnerability Details
CVEID: CVE-2021-44228
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary
code on the system, caused by the failure to protect against attacker
controlled LDAP and other JNDI related endpoints by JNDI features. By sending a
specially crafted code string, an attacker could exploit this vulnerability to
load arbitrary Java code on the server and take complete control of the system.
Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
Fix pack levels of IBM Db2 V11.5 for all editions on all platforms are affected
only if the following features are configured:
Federation:
DVM JDBC wrapper driver,
NoSQL wrapper driver (for Hadoop),
Blockchain wrapper driver (for Hyperledger Fabric, Linux 64-bit, x86-64
only)
IBM Db2 V9.7, V10.1, V10.5 and V11.1 are not affected.
To determine if Federation is enabled, issue the following:
db2 get dbm cfg | grep FEDERATED
If a value of NO is returned, you are not vulnerable.
You can determine if you are using one of the affected wrappers by performing:
To determine if the DVM JDBC wrapper is in use, issue the following statement:
db2 "select servername from syscat.serveroptions where option = 'DRIVER_CLASS'
and setting = 'com.rs.jdbc.dv.DvDriver'"
If a servername is returned, then you are using the DVM JDBC wrapper via the
DvDriver class.
To determine if the NoSQL hadoop wrapper is in use, issue the following
statement:
db2 "select * from syscat.servers where servertype = 'HDFSPARQUET'"
If 1 or more rows are returned, then NoSQL hadoop wrapper is in use.
To determine if the NoSQL Blockchain wrapper is in use, issue the following
statement:
db2 "select * from syscat.serveroptions where option='PEER_URL'"
If 1 or more rows are returned, then NoSQL Blockchain wrapper is in use.
Remediation/Fixes
Customers running any vulnerable fixpack level of an affected Program, V11.5,
can download the special build containing the interim fix for this issue from
Fix Central. These special builds are available based on the most recent
fixpack level for the V11.5.6 and V11.5.7 release. They can be applied to any
affected fixpack level of the appropriate release to remediate this
vulnerability.
+-------+-----------------+-------+-------------------------------------------+
|Release|Fixed in fix pack|APAR |Download URL |
+-------+-----------------+-------+-------------------------------------------+
|V11.5 |TBD |IT39389|Special Build for V11.5.6: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER little endian |
| | | |Linux 64-bit, System z, System z9 or |
| | | |zSeries |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+-----------------+-------+-------------------------------------------+
|V11.5 |TBD |IT39389|Special Build for V11.5.7: |
| | | | |
| | | |AIX 64-bit |
| | | |Linux 32-bit, x86-32 |
| | | |Linux 64-bit, x86-64 |
| | | |Linux 64-bit, POWER little endian |
| | | |Linux 64-bit, System z, System z9 or |
| | | |zSeries |
| | | |Windows 32-bit, x86 |
| | | |Windows 64-bit, x86 |
+-------+-----------------+-------+-------------------------------------------+
Workarounds and Mitigations
A user with SYSADM authority should preform the following:
db2stop
db2set DB2_JVM_STARTARGS="-Dlog4j2.formatMsgNoLookups=true"
db2start
See Security Bulletin: Vulnerability in Apache Log4j affects some features of
IBM Db2 (CVE-2021-4104)
See Security Bulletin: A vulnerability in Apache Log4j affects some features of
IBM Db2 (CVE-2021-44832)
See Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some
features of IBM Db2 (CVE-2021-45046, CVE-2021-45105)
Acknowledgement
Change History
06 June 2022: Updated related links for other Log4j bulletins.
21 Dec 2021: Links for 11.5.7 Windows 32-bit and Windows 64-bit have been added
20 Dec 2021: Links for 11.5.6 Windows 32-bit and Windows 64-bit have been added
16 Dec 2021: Updated to reflect that all Db2 editions are impacted. Added
instructions to determine if Federation is enabled.
16 Dec 2021: Added fix pack links for 11.5.7 special builds on AIX 64-bit,
Linux 64-bit, Linux 64-bit POWER little endian
15 Dec 2021: Added fix pack links for 11.5.6 special builds on AIX 64-bit,
Linux 32-bit, Linux 64-bit, Linux 64-bit POWER little endian, Linux 64-bit
System z, System z9 or zSeries
Added fix pack links for 11.5.7 special builds on Linux 32-bit, Linux 64-bit
System z, System z9 or zSeries
14 Dec 2021: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYqKoL8kNZI30y1K9AQi9QA//RHNXbUgycRqLb4VhD9AqPYWp0fgXXeLo
9ExMVP4tVdyPWq7prQ7WHB0Um863HriwNCdWKVRu/I0BtO7T9RjiJIzFiGmi3Hmu
cKBhdBE8mlxyknIWUVCsJEAqZQ7G7YWNFgb591KJ2rcKoscycUjy/ibfru5PrX8T
5D/lFrW9zzwlXKNfuGR6spGEngo+evaYlCySGHEZL8NbmRIW8zVrqM2mPZvrp1PQ
K2U5Go7QfGzgE10BtCbxu2WHOkF8n9qjTQs/mWK+R/UXFJCjcmpSJe5tB9h6okDV
k62H/Vz+O5v3CNk9qCE0kAb5kJ/6mG0nV/3SNqOv1tr1+p4siICEpzpf542oVC5k
2fezXER8Ks/AwADKkg8AbX6lZ1dC7TvB6Fm+/Kqbu7+tnPIQuOCpRuFdapW8XB4l
+VMC6xKoJejORJgKSN09pM3H5LRCEA1fZClRD/kM4Jxd0xJWDM5HHSBEJgFPrfnN
WZxfHw1GHhfA2DADT9SKfMW0k7DglGBX2MgUNwuoH7V9CyUZE79qvUi13w33Bx/+
bYFf4vZDtCVa2Dos72TBEHRZrladzprZ+kNqV401ojyTMe0VpdKJL82cL1Oalu3a
9jPBjTPKiatcjMTsoaSzIsDwG0OVcTI5EUdvDfx65ANUQk2tdHkAusyMqad4fMmz
FONeCUFipD4=
=dC09
-----END PGP SIGNATURE-----