WebSphere Application Server & Liberty

 View Only

Apache Log4j Vulnerabilities - Resources for WebSphere Application Server & Liberty Users

By Yee-Kang Chang posted Tue December 14, 2021 05:00 PM

A vulnerability in Apache Log4j 2, CVE-2021-44228, which is also known as Log4Shell, that could allow a remote attacker to execute arbitrary code on a system was reported on Friday, Dec 10, 2021. Additional vulnerabilities like CVE-2021-4104 & CVE-2021-45046 have since been reported.

IBM including the WebSphere & Liberty team is actively responding to reported vulnerability.

Here is a list of helpful resources to assist WebSphere Application Server and Liberty users to respond to the situation:

    • Security Bulletin on CVE-2021-4104 & CVE-2021-45046 for WebSphere Application Server, https://www.ibm.com/support/pages/node/6526750, that supersedes the previous bulletin on CVE-2021-44228 and lists the affected versions of WebSphere Application Server traditional, WebSphere Liberty for z/OS with zosConnect features, and the recommended mitigation actions to take.
      • Apply interim fix, PH42762, to the affected systems as soon as possible to address the vulnerabilities;

      • Consider interim fix, PH42759, that may provide an additional layer of protection. With this interim fix, the WebSphere Application Server traditional and Liberty runtimes will block loading of vulnerable classes.
        • Note: Do not apply the fix if you are using beta releases of Apache Log4j 2;
        • Also, PH42899 superseded PH42759 for WebSphere Application Server traditional.

    For WebSphere Automation:

    For Transformation Advisor:

    For Application Navigator:

    Should you require further assistance, you can reach out to IBM Support.

    Other Resources




    Thu December 16, 2021 12:05 PM

    Hi Hermann,

    PH42728 updates Log4j to a version that has the vulnerability remediated.  PH42762 remediates the vulnerabilities by removing Log4j and hence, supersedes PH42728.

    The listings noted are for payloads within the fixes.  They do not reflect what the fixes fully do, which will include relevant and necessary cleanup/removal operations.

    As you know, what is more important is to check what is there on the system(s) after the application of the fix(es).  PH42762 is what is needed if one hasn't installed PH42728.

    Hope these help.

    Thu December 16, 2021 11:34 AM

    Hello Yee-Kang .. I've now tried to install only PH42762 on an installation and then checked for the log4j jar files and found that these are indeed gone: 
    [hhuebler@hhuelinux hhue2]$ ~/IBM/InstallationManager/eclipse/tools/imcl install -repositories /2tmp/PH42728/ -accessRights nonAdmin -installationDirectory /home/hhuebler/IBM/WebSphere/AppServer
    Installed to the /home/hhuebler/IBM/WebSphere/AppServer directory.
    [hhuebler@hhuelinux ~]$ find IBM/WebSphere/ -name "log4j*.jar"
    So it seems that while PH42728 replaces the log4j version in isclite from 2.8 to 2.15 the PH42762 removed the log4j*.jar. 

    Thu December 16, 2021 10:42 AM

    Hello Yee-Kang .. thanks for the quick response on this one. But I'm wondering as the latest fix PH42762 contains the following files:

    --- snip ---
    [hhuebler@hhuelinux hhue]$ unzip -l ./native/
    Archive: ./native/
    Length Date Time Name
    --------- ---------- ----- ----
    0 12-15-2021 09:52 installableApps/
    6951466 12-15-2021 09:52 installableApps/uddi.ear
    0 12-15-2021 09:52 systemApps/
    0 12-15-2021 09:52 systemApps/isclite.ear/
    0 12-15-2021 09:52 systemApps/isclite.ear/kc.war/
    0 12-15-2021 09:52 systemApps/isclite.ear/kc.war/WEB-INF/
    0 12-15-2021 09:52 systemApps/isclite.ear/kc.war/WEB-INF/lib/
    7901 12-15-2021 09:52 systemApps/isclite.ear/kc.war/WEB-INF/lib/slf4j-jdk14-1.7.7.jar
    --- snip ---

    while the PH42728 contains:
    --- snip ---
    [hhuebler@hhuelinux hhue2]$ unzip -l ./native/
    Archive: ./native/
    Length Date Time Name
    --------- ---------- ----- ----
    0 12-12-2021 10:58 installableApps/
    9024976 12-12-2021 10:58 installableApps/uddi.ear
    0 12-12-2021 10:58 systemApps/
    0 12-12-2021 10:58 systemApps/isclite.ear/
    0 12-12-2021 10:58 systemApps/isclite.ear/kc.war/
    0 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/
    0 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/
    207880 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-1.2-api-2.15.0.jar
    301805 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-api-2.15.0.jar
    1789769 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.15.0.jar
    24232 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-slf4j-impl-2.15.0.jar
    --------- -------
    11348662 11 files

    --- snip ---

    Thu December 16, 2021 10:35 AM

    Hi Hermann,

    PH42762 is alone is sufficient.  It complete supersedes the previous bulletin and fix (by removing Log4j completely).



    FYI; From the FAQ:

    Q2. Do I need to follow the instructions for the previous bulletin first?
    A2. No, the bulletin and fix for PH42762 (CVE-2021-4104 and CVE-2021-45046) completely supersedes the previous bulletin and fix. If you have not already installed PH42728 you only need to install PH42762. The relationship is the same if you are taking the mitigation steps only, PH42762 alone is sufficient.

    Thu December 16, 2021 10:14 AM

    Thanks for the BLOG entry and the hint to the additional PH42762. But what is not clear from the APAR and CVEs is if we need to install PH42728 AND PH42762 or if PH42762 alone is sufficient? Please can you clarify that?