SECURITY: Apache Log4j vulnerability

[Justin Derrick]

Apache log4j version 2 is included as a requisite library for CMOD v10.1 and v10.5, and a serious vulnerability has been announced. 

ICN v3 uses log4j v1.2.x that is in 'End of Life' -- it will not receive security updates, so you must upgrade to v2.15.x or above to be protected.

CMOD v9.x does not use Apache log4j, so those versions are unaffected. 

More information on the Apache Log4j exploit is here:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

There's an article on the Wiki with some more background and discussion of the impact:
https://cmod.wiki/index.php?title=Apache_Log4j_%26_CMOD_ODWEK_ICN

Please discuss / ask your questions here.

-JD.

UPDATES:
IBM Technote on CMOD v10.1:  https://www.ibm.com/support/pages/node/6525892
IBM Technote on CMOD v10.5:  https://www.ibm.com/support/pages/node/6525888
IBM TechNote on WebSphere & log4j:  https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-apache-log4j-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-cve-2021-4104-cve-2021-45046

[Justin Derrick]

Hey Ed.

I just checked, and CMOD v10.5 Fixpack 3, and it still includes a vulnerable version (v2.13) of log4j. 

Are you saying the included version was patched against the exploit, or will be an interim fix available shortly?  Or instructions on replacing log4j with v2.15+?

-JD.

[Nolan]

"You will then need to update the classpath within your application server to reference the new version of these files"

Is this applicable to the base product?  If yes, where do I update?   

[rjrussel]

Nolan,

What are you running that you are trying to update?

-RR

[Nolan]

I see from the tech note: https://www.ibm.com/support/pages/node/6525888
how to update the cmod-rest.war file.  This ones is a little more fun.

For Windows, Z/OS and AIX deployments we only use the base product so the log4j files are not really required/used.  I will replace them with 2.15.0 but I have no classpath in play to update for them.

Let me know if you think I am missing anything.

Thanks

[rjrussel]

You got it, Nolan.

-RR

[michaelprouse]

With the new vulnerability reported by apache, we now have to update these logjam files to 2.16.0?  We just went to 2.15.0....

[Justin Derrick]

Yes, the patch to Apache Log4j 2.16 is recommended. 

However, just so you know, there's a new "data exfiltration" bug for Log4j that has been reported to Apache, but in accordance with "responsible disclosure", there is no additional information, only that this means there will be another patch.

The best thing to do is get the process of rolling out these patches well documented and repeatable for the near future.

-JD.

[Venubv]

I’ve been following the log4j2 vulnerability news closely and the issues with Log4j continue to stack up and Apache on Friday rolled out yet another patch version - 2.17.0. Another vulnerability was identified and is tracked as CVE-2021-45105

I do not see an update yet from IBM regarding this vulnerability and if we should be applying the latest patch (2.17.0) to our CMOD 10.5 and ODWEK installs.

-Venu.

[michaelprouse]

We had a PMR opened and were told to go with the guidance from Apache so we updated our logjam files to 2.17.0

[Justin Derrick]

Yup, with more attention comes more scrutiny - there will likely be more announcements of new vulnerabilities found and fixed in log4j in the coming weeks and months.  Document the process so you can get good at upgrading your environment! 

-JD.

[Venubv]

IBM's latest recommendation is to apply log4j.2.17.x to CMOD 10.5.

https://www.ibm.com/support/pages/node/6525888

-Venu.