Our clients’ security is and remains IBM’s top concern. The recent Apache Log4j CVEs affect security on multiple fronts. Cloudera Data Platform Private Cloud Base (CDP Base) with IBM and related products use Apache Log4J to process messages. Log messages are vulnerable to the following:
- arbitrary code execution (CVE-2022-23302, CVE-2021-44832)
- denial of service (CVE-2021-45105)
- default file permissions (CVE-2022-21704)
- remote code execution (CVE-2021-45046
- SQL injection (CVE-2022-23305)
IBM strongly recommends customers upgrade to the latest CDP Base release and apply the fix. We’re pleased to announce the fix for Apache Log4j 1.x and 2.x is now available on IBM Passport Advantage. This fix is applicable for CDP Base 7.1.6 and 7.1.7.
Please visit IBM Security Bulletin for Apache Log4j v2.17.1 remediation and instructions.