Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0709
Security Bulletin: IBM WebSphere Application Server and IBM WebSphere
Application Server Liberty are vulnerable to arbitrary code
execution and SQL injection due to Apache Log4j.
18 February 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Application Server
Publisher: IBM
Operating System: Linux variants
Windows
IBM i
HP-UX
Solaris
macOS
z/OS
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23307 CVE-2022-23305 CVE-2022-23302
Reference: ESB-2022.0666
ESB-2022.0558
ESB-2022.0425.2
ESB-2022.0421
Original Bulletin:
https://www.ibm.com/support/pages/node/6557248
Comment: CVSS (Max): 9.8 CVE-2022-23307 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM WebSphere Application Server and IBM WebSphere
Application Server Liberty are vulnerable to arbitrary code execution and SQL
injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305)
Document Information
Product: WebSphere Application Server
Software version: 7.0, 8.0, 8.5, 9.0, Liberty
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS, Mac OS
Document number: 6557248
Modified date: 17 February 2022
UID: ibm16557248
Summary
Multiple vulnerabilities exist in the Apache Log4j (CVE-2022-23302,
CVE-2022-23305, CVE-2022-23307) library used by IBM WebSphere Application
Server in the Admin Console and UDDI Registry application. The same Apache
library is also used by the IBM WebSphere Application Server Liberty for z/OS
in features zosConnect-1.0 and zosConnect-1.2. All vulnerabilities have been
addressed previously by removing all existing Apache Log4j versions.
Vulnerability Details
CVEID: CVE-2022-23302
DESCRIPTION: Apache Log4j could allow a remote authenticated attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
JMSSink. By sending specially-crafted JNDI requests using
TopicConnectionFactoryBindingName configuration, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-23305
DESCRIPTION: Apache Log4j is vulnerable to SQL injection. A remote attacker
could send specially-crafted SQL statements to the JDBCAppender, which could
allow the attacker to view, add, modify or delete information in the back-end
database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-23307
DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary
code on the system, caused by an unsafe deserialization in the in Apache
Chainsaw component. By sending specially-crafted input, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+---------------------------------------+-------------------+
|Affected Product(s) |Version(s) |
+---------------------------------------+-------------------+
|IBM WebSphere Application Server |9.0 |
+---------------------------------------+-------------------+
|IBM WebSphere Application Server |8.5 |
+---------------------------------------+-------------------+
|IBM WebSphere Application Server |8.0 |
+---------------------------------------+-------------------+
|IBM WebSphere Application Server |7.0 |
+---------------------------------------+-------------------+
|IBM WebSphere Application Server |17.0.0.3 - |
|Liberty |21.0.0.12 |
+---------------------------------------+-------------------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerabilities now by applying a
currently available interim fix or fix pack that contains APAR PH42762. The
interim fix PH42762 was provided previously with Security Bulletin: Multiple
vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and
IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046) and
the interim fix PH42762 addresses these vulnerabilities for the affected IBM
WebSphere Application Server and IBM WebSphere Application Server Liberty.
For IBM WebSphere Application Server Liberty 17.0.0.3 - 21.0.0.12 using the
zosConnect-1.0 or zosConnect-1.2 feature:
? Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
? Apply Fix Pack 22.0.0.1 or later.
For IBM WebSphere Application Server traditional:
For V9.0.0.0 through 9.0.5.10:
? Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
? Apply Fix Pack 9.0.5.11 or later (when available).
For V8.5.0.0 through 8.5.5.20:
? Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH42762
- --OR--
? Apply Fix Pack 8.5.5.21 or later (when available).
For V8.0.0.0 through 8.0.0.15:
? Upgrade to 8.0.0.15 and then apply Interim Fix PH42762
For V7.0.0.0 through 7.0.0.45:
? Upgrade to 7.0.0.45 and then apply Interim Fix PH42762
Additional interim fixes may be available and linked off the interim fix
download page.
After applying the interim fix, follow the Required next steps provided
previously with Security Bulletin: Multiple vulnerabilities in Apache log4j
affect the IBM WebSphere Application Server and IBM WebSphere Application
Server Liberty (CVE-2021-4104, CVE-2021-45046)
IBM WebSphere Application Server V7.0 and V8.0 are no longer in full support;
IBM recommends upgrading to a fixed, supported version/release/platform of the
product.
Workarounds and Mitigations
If the interim fixes in PH42762 cannot be applied immediately, and the
mitigation steps have not been applied previously for Security Bulletin:
Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application
Server and IBM WebSphere Application Server Liberty
(CVE-2021-4104, CVE-2021-45046), then follow the temporary mitigation steps for
WebSphere Application Server traditional in Security Bulletin: Multiple
vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and
IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046). Due
to the severity, complexity, and evolving nature of the situation, no
mitigation is recommended as a substitute for applying the interim fix.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Off
Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM
WebSphere Application Server and IBM WebSphere Application Server Liberty
(CVE-2021-4104, CVE-2021-45046)
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
15 Feb 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Document Location
Worldwide
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYg7+B+NLKJtyKPYoAQjguQ//SRhTqHLGI1mmV7xjp+SePPLQBY0Rbp++
ZAfMFYcamD+dh96Bb9DYbPmIRH37FHvZYj7C88QpH1FyZWKsD8cFO4eX7T/GNB6J
otfU4BCx6b3aoTSKyTW6Yc4vZ90jreBRY/JDaW3h0bprVbl+DezAIvzmlIzIWSej
z7VaSFdhWAUNYB8ZOPFb79oEC1t4Grrqn/NyuDa3BYnk6n9rwIiY3MotI2zKvoXz
TvlvE3cjSqhNgpGhVHP2QnOk2qgr/0+jjLIYd9fB8wHlkxbaecjiKAaUdfS/lAMz
XKwdgbwtw+HSxIBbmcWFS6VcNF4v+B8fcO2A3fYq0/YEbERGFqavCoPPpMufPQZ6
39zz8bfUBDP1Byzkg2CBY7Q/azrqLTewBBBpbs94LOULfKvV/XCdy7N81LfdDwng
56dYOZiQKkSd8p/up0tXkQSk2MPPAmOhQ6VPZ8EIre+GXUtrf+lsvPQ6EdEJ2NY4
52w0gFbOI9TT2st3bqTEsVN21/7dChSXy/7pZLXshAZVtdp9TVrxaPdtxZPlFIxv
qPJ0eoW5fPS6803VCIu2QPgywuEeJ3v87KbLieVyfM5YQrcuW4lodPAzJJiJc+QY
SGyyt+g+fh0S5hPLfnL9TMxH17g51OfKbgI0mutoPo9h+jNIMgzqo3DwdvBuyvML
KcgQnPV9cac=
=jPL8
-----END PGP SIGNATURE-----