Question
"What should I do with IBM BAW servers to address all vulnerabilities related to log4j?"
If you try to search for log4j vulnerabilities in IBM BAW you will find that there are too many different security bulletins with cross-posts / cross-links to technotes, fixes, and other places. So, it's really hard to answer this question without deeply digging through all of the information.
In this article I will try to summarize the current state and what are the exact fixes you need to apply to make your IBM BAW server(s) secure.
BP3 is actively monitoring the whole situation and will keep this article up to date.
Answer
UPDATE as of end of Septermber 2022:
IBM has posted a technote with a summary of all the BAW versions and fixes you will need to apply to get this vulnerability addressed -
https://www.ibm.com/support/pages/node/6596949
As you know BAW is running on IBM WebSphere (WAS) application server. So, we need to not only address vulnerabilities in BAW itself but in WAS as well.
IBM WebSphere 8.5.x Log4j vulnerabilities and corresponding links to technotes that contain fixes:
1) PH42762 (This fix includes the fix for PH42728, PH37034, PI97162) - https://www.ibm.com/support/pages/node/6526686
2) PH42759 - https://www.ibm.com/support/pages/node/6526824
IBM BAW 180x/190x/20x/21x Log4j vulnerabilities and corresponding links to technotes that contain fixes:
1) JR64456 - you will need to apply this only if you're using Process federation server (PFS) - https://www.ibm.com/support/pages/apar/JR64456
2) JR64096 - this fix removes the IBM Knowledge Center Customer
Installed (KCCI) .ear and .war files, which enabled you to access the documentation offline, because they contain a number of security vulnerabilities including log4j one - https://www.ibm.com/support/pages/apar/JR64096
Also, worth noting that both of these fixes are included in the latest (currently) BAW cumulative fix - 21.0.3 that can be obtained from the following page -
https://www.ibm.com/support/pages/node/6507345
3) There are 2 more apps that your security scan can find vulnerable because they include log4j, those apps are:
- IBM_BPM_DocumentStore.ear
- CaseEventEmitter.war
Regarding IBM_BPM_DocumentStore.ear - it contains log4j v1 that is NOT affected by this vulnerability.
Regarding CaseEventEmitter and Case Manager - IBM Case Manager is not affected or vulnerable to CVE-2021-44228 for the following reasons -
- In most places, IBM Case Manager components use Log4j 1.x. Log4j 1.x is not affected by this vulnerability.
- There is one IBM Case Manager component that use Log4j 2.x. The Log4j 2.x JAR file that is included with this component does not include the vulnerable JndiLookup class (Case event emitter for Business Automation Insights)
- More information can be found here: https://www.ibm.com/support/pages/node/6525856
Comments
0 comments
Please sign in to leave a comment.