-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2022.0044.2
  Security Bulletin: Multiple vulnerabilities in Apache log4j affect IBM
       WebSphere Application Server (CVE-2021-45105, CVE-2021-44832)
                              10 January 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           WebSphere Application Server
Publisher:         IBM
Operating System:  IBM i
                   AIX
                   HP-UX
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-45105 CVE-2021-44832 

Reference:         ASB-2021.0244.6

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6538148

Revision History:  January 10 2022: Vendor added references re temporary mitigation
                   January  5 2022: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities in Apache log4j affect IBM  WebSphere Application
Server (CVE-2021-45105, CVE-2021-44832)

Document Information

Document number    : 6538148
Modified date      : 07 January 2022
Product            : WebSphere Application Server
Software version   : 8.5, 9.0
Operating system(s): AIX
                     HP-UX
                     IBM i
                     Linux
                     Solaris
                     Windows
                     z/OS
Edition            : Advanced,Base,Developer,Enterprise,Express,Network Deployment,Single Server

Summary

There is a vulnerability in the Apache log4j library used by IBM WebSphere
Application Server traditional in the Admin Console and UDDI Registry
application. This has been addressed in IBM WebSphere Application Server by
removing log4j from the Admin Console and UDDI Registry application.

Vulnerability Details

CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the
failure to protect from uncontrolled recursion from self-referential lookups. A
remote attacker with control over Thread Context Map (MDC) input data could
craft malicious input data that contains a recursive lookup to cause a
StackOverflowError that will terminate the process. Note: The vulnerability is
also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2021-44832
DESCRIPTION: Apache Log4j could allow a remote attacker with permission to
modify the logging configuration file to execute arbitrary code on the system.
By constructing a malicious configuration using a JDBC Appender with a data
source referencing a JNDI URI , an attacker could exploit this vulnerability to
execute remote code.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
216189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

+----------------------------+----------+
|Affected Product(s)         |Version(s)|
+----------------------------+----------+
|WebSphere Application Server|9.0       |
+----------------------------+----------+
|WebSphere Application Server|8.5       |
+----------------------------+----------+

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF
containing the APAR PH42762 for each named product as soon as possible. The
interim fix PH42762 was provided previously with Security Bulletin: Multiple
vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and
IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046) and
the interim fix PH42762 addresses these vulnerabilities for the affected IBM
WebSphere Application Server 8.5 and 9.0 versions. Note: IBM WebSphere
Application Server 7.0, 8.0 and IBM WebSphere Application Server Liberty are
not affected.

For WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.10:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
. Apply Fix Pack 9.0.5.11 or later (when available).

For V8.5.0.0 through 8.5.5.20:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
. Apply Fix Pack 8.5.5.21 or later (when available).

Additional interim fixes may be available and linked off the interim fix
download page.

Workarounds and Mitigations

If the interim fixes in PH42762 cannot be applied immediately, and the
mitigation steps have not been applied previously for Security Bulletin:
Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application
Server and IBM WebSphere Application Server Liberty (CVE-2021-4104,
CVE-2021-45046) , then follow the temporary mitigation steps for WebSphere
Application Server traditional in Security Bulletin: Multiple vulnerabilities
in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere
Application Server Liberty (CVE-2021-4104, CVE-2021-45046) . Due to the
severity, complexity, and evolving nature of the situation, no mitigation is
recommended as a substitute for patching.

Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM
WebSphere Application Server and IBM WebSphere Application Server Liberty
(CVE-2021-4104, CVE-2021-45046)

Acknowledgement

Change History

04 Jan 2022: Initial Publication
07 Jan 2022: Added reference to temporary mitigation

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYdutLuNLKJtyKPYoAQjgxA/+Ki9sznndP74q6Gw36yXBTFeiOFQtDTv9
mZt7Oj+R4B4KXRiQPoyRicimaLhIYJias12+duOfDpBetHEpLvWCTLgvxRSjhz+F
B1hph/tN3CljC98o0v84uK/ygDvJgfMOMz2KQWHXHZE5HJL0qLztTUBaPB2K8ZW8
G5iJa1zpfpxuQL5sa2uJFcOXHumOexdQOiY7hkzYNSgbLY+D/7LF8veR8qoPUZ7Y
1C/QdfhMTSgvOjWf/WOeDfkCkw9qGB+XiBx18EzA0sxKJIt4X6hzgys7p14lZl0R
P7mMUb7iy4oN3NJSlwghvIkQ4xloJXlX1lblLj98PR/UkWemJSeo8x1tPLrVgvFG
HW4wXOjA5mWQoHvaNKRQELOIFvdNq8y+jJAVlG91vILrGfQcYP0imbMuCLpc1wLF
9hkuHF8XwBWsk/s3YJHjAOfOnuEH2kUSReRL5NmmYKL+nC2YrJ/l+rID6X3KW9xs
fmKppEPrO00+RVjh0ax/c+R68+MJG99zum4uQHLLLHnl3IMa7jWYc6gOthnGEEAW
vHLgVyTG18/hlBSROUPpDAEtYRcQj5kAGg6rPBqoiNEMsO/JHYQ/XaWoEsN1NkkW
fFbspj3y0k4FpjibMRJW3N9f+lyQirdVPFgq2yANGwYu48CQUQd+WSkNq8qxr8zN
UeZFMPAUJOo=
=SA+4
-----END PGP SIGNATURE-----