Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4295
Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM
WebSphere Application Server and IBM WebSphere Application
Server Liberty (CVE-2021-4104, CVE-2021-45046)
17 December 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server
IBM WebSphere Application Server Liberty
Publisher: IBM
Operating System: AIX
HP-UX
IBM i
Linux variants
Solaris
Windows
macOS
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-45046 CVE-2021-4104
Reference: ESB-2021.4186.3
Original Bulletin:
https://www.ibm.com/support/pages/node/6526750
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application
Server and IBM WebSphere Application Server Liberty (CVE-2021-4104,
CVE-2021-45046)
Document Information
Document number : 6526750
Modified date : 15 December 2021
Product : WebSphere Application Server
Component : Liberty
Software version : 7.0, 8.0, 8.5, 9.0, Liberty
Operating system(s): AIX
HP-UX
IBM i
Linux
Solaris
Windows
z/OS
Mac OS
Edition : Advanced,Base,Developer,Enterprise,Express,Network Deployment,Single Server,Liberty
Summary
There is a vulnerability in the Apache log4j library used by IBM WebSphere
Application Server in the Admin Console and UDDI Registry application and used
by the IBM WebSphere Application Server Liberty for z/OS in features
zosConnect-1.0 and zosConnect-1.2. This has been addressed in IBM WebSphere
Application Server by removing log4j from the Admin Console and UDDI Registry
application. This has been addressed in IBM WebSphere Application Server
Liberty for z/OS by removing log4j from the zosConnect-1.0 and zosConnect-1.2
features.
Vulnerability Details
CVEID: CVE-2021-4104
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary
code on the system, caused by the deserialization of untrusted data when the
attacker has write access to the Log4j configuration. If the deployed
application is configured to use JMSAppender, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
215048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by an
incomplete fix of CVE-2021-44228 in certain non-default configurations. A
remote attacker with control over Thread Context Map (MDC) input data or a
Thread Context Map pattern to exploit this vulnerability to craft malicious
input data using a JNDI Lookup pattern and cause a denial of service.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+------------------------------------+-------------------+
|Affected Product(s) |Version(s) |
+------------------------------------+-------------------+
|WebSphere Application Server Liberty|Continuous delivery|
+------------------------------------+-------------------+
|WebSphere Application Server |9.0 |
+------------------------------------+-------------------+
|WebSphere Application Server |8.5 |
+------------------------------------+-------------------+
|WebSphere Application Server |8.0 |
+------------------------------------+-------------------+
|WebSphere Application Server |7.0 |
+------------------------------------+-------------------+
Remediation/Fixes
The recommended solution is to apply the interim fix, Fix Pack or PTF
containing the APAR PH42762 for each named product as soon as possible.
For WebSphere Application Server Liberty 17.0.0.3 - 21.0.0.12 using the
zosConnect-1.0 or zosConnect-1.2 feature:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
. Apply Fix Pack 22.0.0.1 or later (when available).
For WebSphere Application Server traditional:
For V9.0.0.0 through 9.0.5.10:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
. Apply Fix Pack 9.0.5.11 or later (when available).
For V8.5.0.0 through 8.5.5.20:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
. Apply Fix Pack 8.5.5.21 or later (when available).
For V8.0.0.0 through 8.0.0.15:
. Upgrade to 8.0.0.15 and then apply Interim Fix PH42762
For V7.0.0.0 through 7.0.0.45:
. Upgrade to 7.0.0.45 and then apply Interim Fix PH42762
Additional interim fixes may be available and linked off the interim fix
download page.
Required next steps:
1) If the UDDI Registry Application is running on the WebSphere Application
Server, then after applying the Interim Fix PH42762, redeploy the UDDI Registry
Application .
2) The "kc.war" application is removed from the installableApps/ directory by
this fix. If this application has been installed (deployed) to any application
server (separately from isclite.ear), it must be manually uninstalled via the
the Admin Console or wsadmin. For instructions on how to determine if kc.war is
installed see question Q9 in our Log4Shell (CVE-2021-44228) FAQ .
Note: WebSphere Application Server V7.0 and V8.0 are no longer in full support;
IBM recommends upgrading to a fixed, supported version/release/platform of the
product.
Workarounds and Mitigations
If the interim fixes in PH42762 cannot be applied immediately, then follow ALL
of the temporary mitigation steps below. Due to the severity, complexity, and
evolving nature of the situation, no mitigation is recommended as a substitute
for patching.
PH42762 only applies to a minimum fix pack level of 7.0.0.45, 8.0.0.15,
8.5.5.11, and 9.0.5.3. For any customer not on those minimum fix pack levels,
IBM recommends upgrading to at least the minimum fix pack and applying the
interim fix. If a customer cannot apply the interim fix, they may choose to
apply the following temporary workaround to manually remove copies of log4j
that this interim fix removes:
1. WebSphere Application Server traditional release 9.0 only:
Remove <WAS_HOME>/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar
from any system running the WebSphere admin console and restart the
application server. Note: If any future service (prior to 8.5.5.21 or
or 9.0.5.11) is applied to the install the log4j files will be restored
without warning.
o
If the kc.war application has been installed then uninstall it. For
instructions on how to determine if kc.war is installed see question Q9
in our Log4Shell (CVE-2021-44228) FAQ .
Remove <WAS_HOME>/installableApps/kc.war
2. All WebSphere Application Server traditional releases:
Users of the UDDI Registry Application: Remove log4j*.jar from within
the <WAS_HOME>/installableApps/uddi.ear archive and update (redeploy)
any installed (deployed) copies of the UDDI Registry application.
Users who do not use the UDDI Registry Application should remove
<WAS_HOME>/installableApps/uddi.ear
3. WebSphere Liberty for z/OS users running zosConnect-1.0 or zosConnect-1.2:
Remove the fileSystemloggerInterceptor configuration element if present
in the server configuration.
Change History
15 Dec 2021: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYbvch+NLKJtyKPYoAQgkbA/+NhRcW1OIAByKMu54byblPEWPsMLQ8MHw
3cSd5oVuBST0FNSYEG5RSphBEMv19H6MSfTScuT1Apgi0aiNnm9kyyN1OOWuml8B
jpY/u9FoLHVaGeES3wEouAX71crYSZ2gqCUdjx/JmvZEFgF+1/OM6QbhSA/rjvDa
f3cNAECZudBpgfmhaEzV78096hVkZ0UeeFl2IiOJJyVutPnQa6EJ/4l7wtYKlggD
tFi+2PXF216+35G3eJVvJPh9pNhu7mgGHOddWP7XhnLbgFJCxMqb8jpnFGbXwf/x
T2JTUGYKuP/T+YQTT4YahuvDlRwciGkySsir+0DnleXQiaKF5G2eqd9p3JaG30G4
cHW2+6+5kwB7aLXp+vDZe5hfEri1LF+c/FCAflDiluLYPGllGObmF63G63OdnTF3
//Yzg0YMZ0xEUpLjLtN2xt8N7udP+0KFMw66xjRLKkaydjEbv3WS+hVzFtEdtMXi
bbJmYZ9/Jsr59/o8FZ13RIos5vt/yfqy1EqwAYqwQEjxWkrKhAYVKMOPbPgxYrdQ
V6Tbkxx3qGvcina8XmQdKHxO8jJOMiALlygF8QiSzQiSgSrFCAWgFXK2/4yHoeWZ
u5qVH88hFnSjLdDPVhFNwcfL3wvoBhwC6aqnoJZo0qOwR2rqS0ULhxj1GPCFlyOU
A2W/RdTTWRI=
=UKjV
-----END PGP SIGNATURE-----