WebSphere Application Server & Liberty

View Only

Apache Log4j Vulnerabilities - Resources for WebSphere Application Server & Liberty Users

By Yee-Kang Chang posted Tue December 14, 2021 05:00 PM

A vulnerability in Apache Log4j 2, CVE-2021-44228, which is also known as Log4Shell, that could allow a remote attacker to execute arbitrary code on a system was reported on Friday, Dec 10, 2021. Additional vulnerabilities like CVE-2021-4104 & CVE-2021-45046 have since been reported.

IBM including the WebSphere & Liberty team is actively responding to reported vulnerability.

Here is a list of helpful resources to assist WebSphere Application Server and Liberty users to respond to the situation:

Security Bulletin on CVE-2021-4104 & CVE-2021-45046 for WebSphere Application Server, https://www.ibm.com/support/pages/node/6526750, that supersedes the previous bulletin on CVE-2021-44228 and lists the affected versions of WebSphere Application Server traditional, WebSphere Liberty for z/OS with zosConnect features, and the recommended mitigation actions to take.

- Apply interim fix, PH42762, to the affected systems as soon as possible to address the vulnerabilities;

- Consider interim fix, PH42759, that may provide an additional layer of protection. With this interim fix, the WebSphere Application Server traditional and Liberty runtimes will block loading of vulnerable classes.
  - Note: Do not apply the fix if you are using beta releases of Apache Log4j 2;
  - Also, PH42899 superseded PH42759 for WebSphere Application Server traditional.

Frequently Asked Questions (FAQ) regarding the Security Bulletin on CVE-2021-44228, CVE-2021-4104 & CVE-2021-45046 for WebSphere Application Server and Liberty users: https://www.ibm.com/support/pages/node/6525860.

For WebSphere Automation:

Security Bulletin on CVE-2021-44228 for IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps, https://www.ibm.com/support/pages/node/6527256, on an affected component with recommended action to take.

For Transformation Advisor:

Security Bulletin on CVE-2021-44228 for IBM Cloud Transformation Advisor, https://www.ibm.com/support/pages/node/6526212, covering what is affected and recommended remediation.

For Application Navigator:

Security Bulletin on CVE-2021-44228 for IBM Application Navigator, https://www.ibm.com/support/pages/node/6526612, covering the removal of unused copy of Apache Log4j library out of caution.

Should you require further assistance, you can reach out to IBM Support.

Other Resources

Liberty Guide on Log4j CVE-2021-44228, CVE-2021-4104 and CVE-2021-45046 from openliberty.io

#Featured-area-2
#featiured-area-2-home
#Featured-area-2
#Featured-area-2-home

5 comments

1164 views

Permalink

Comments

Yee-Kang Chang

Thu December 16, 2021 12:05 PM

Hi Hermann,

PH42728 updates Log4j to a version that has the vulnerability remediated. PH42762 remediates the vulnerabilities by removing Log4j and hence, supersedes PH42728.

The listings noted are for payloads within the fixes. They do not reflect what the fixes fully do, which will include relevant and necessary cleanup/removal operations.

As you know, what is more important is to check what is there on the system(s) after the application of the fix(es). PH42762 is what is needed if one hasn't installed PH42728.

Hope these help.

Hermann Huebler

Thu December 16, 2021 11:34 AM

Hello Yee-Kang .. I've now tried to install only PH42762 on an installation and then checked for the log4j jar files and found that these are indeed gone:
```

[hhuebler@hhuelinux hhue2]$ ~/IBM/InstallationManager/eclipse/tools/imcl install 9.0.5.3-WS-WASProd-IFPH42762_9.0.5003.20211215_0936 -repositories /2tmp/PH42728/9.0.5.3-ws-wasprod-ifph42762.zip -accessRights nonAdmin -installationDirectory /home/hhuebler/IBM/WebSphere/AppServer

Installed 9.0.5.3-WS-WASProd-IFPH42762_9.0.5003.20211215_0936 to the /home/hhuebler/IBM/WebSphere/AppServer directory.

[hhuebler@hhuelinux ~]$ find IBM/WebSphere/ -name "log4j*.jar"

IBM/WebSphere/AppServer/properties/patches/backup/9.0.5.3-WS-WASProd-IFPH42762/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-1.2-api-2.8.2.jar

IBM/WebSphere/AppServer/properties/patches/backup/9.0.5.3-WS-WASProd-IFPH42762/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-api-2.8.2.jar

IBM/WebSphere/AppServer/properties/patches/backup/9.0.5.3-WS-WASProd-IFPH42762/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.8.2.jar

IBM/WebSphere/AppServer/properties/patches/backup/9.0.5.3-WS-WASProd-IFPH42762/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-slf4j-impl-2.8.2.jar

IBM/WebSphere/wp_profile/installedApps/wpCell/wp.scriptportlet.importexport.ear/wp.sp.importexpor.war/WEB-INF/lib/log4j.jar

IBM/WebSphere/wp_profile/installedApps/wpCell/PA_WPF.ear/unifiedtasklist.war/WEB-INF/lib/log4j.jar

```
So it seems that while PH42728 replaces the log4j version in isclite from 2.8 to 2.15 the PH42762 removed the log4j*.jar.

Hermann Huebler

Thu December 16, 2021 10:42 AM

Hello Yee-Kang .. thanks for the quick response on this one. But I'm wondering as the latest fix PH42762 contains the following files:

--- snip ---
[hhuebler@hhuelinux hhue]$ unzip -l ./native/9.0.5.3-WS-WASProd-IFPH42762-1s-9.0.5003-1i.file.operations_9.0.5.20211215_0936.zip
Archive: ./native/9.0.5.3-WS-WASProd-IFPH42762-1s-9.0.5003-1i.file.operations_9.0.5.20211215_0936.zip
Length Date Time Name
--------- ---------- ----- ----
0 12-15-2021 09:52 installableApps/
6951466 12-15-2021 09:52 installableApps/uddi.ear
0 12-15-2021 09:52 systemApps/
0 12-15-2021 09:52 systemApps/isclite.ear/
0 12-15-2021 09:52 systemApps/isclite.ear/kc.war/
0 12-15-2021 09:52 systemApps/isclite.ear/kc.war/WEB-INF/
0 12-15-2021 09:52 systemApps/isclite.ear/kc.war/WEB-INF/lib/
7901 12-15-2021 09:52 systemApps/isclite.ear/kc.war/WEB-INF/lib/slf4j-jdk14-1.7.7.jar
--- snip ---

while the PH42728 contains:
--- snip ---
[hhuebler@hhuelinux hhue2]$ unzip -l ./native/9.0.5.3-WS-WASProd-IFPH42728-1s-9.0.5003-1i.file.operations_9.0.5.20211212_1049.zip
Archive: ./native/9.0.5.3-WS-WASProd-IFPH42728-1s-9.0.5003-1i.file.operations_9.0.5.20211212_1049.zip
Length Date Time Name
--------- ---------- ----- ----
0 12-12-2021 10:58 installableApps/
9024976 12-12-2021 10:58 installableApps/uddi.ear
0 12-12-2021 10:58 systemApps/
0 12-12-2021 10:58 systemApps/isclite.ear/
0 12-12-2021 10:58 systemApps/isclite.ear/kc.war/
0 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/
0 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/
207880 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-1.2-api-2.15.0.jar
301805 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-api-2.15.0.jar
1789769 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-core-2.15.0.jar
24232 12-12-2021 10:58 systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j-slf4j-impl-2.15.0.jar
--------- -------
11348662 11 files

--- snip ---

Yee-Kang Chang

Thu December 16, 2021 10:35 AM

Hi Hermann,

PH42762 is alone is sufficient. It complete supersedes the previous bulletin and fix (by removing Log4j completely).

Thanks.

---

FYI; From the FAQ:

Q2. Do I need to follow the instructions for the previous bulletin first?
A2. No, the bulletin and fix for PH42762 (CVE-2021-4104 and CVE-2021-45046) completely supersedes the previous bulletin and fix. If you have not already installed PH42728 you only need to install PH42762. The relationship is the same if you are taking the mitigation steps only, PH42762 alone is sufficient.

Hermann Huebler

Thu December 16, 2021 10:14 AM

Thanks for the BLOG entry and the hint to the additional PH42762. But what is not clear from the APAR and CVEs is if we need to install PH42728 AND PH42762 or if PH42762 alone is sufficient? Please can you clarify that?