IBM Alert
2700Warning Date
Severity Level
Warning Number
Target Sector
20 January, 2022
● Critical
2022-4256
All
Description:
IBM has released a security update to address several vulnerabilities in its products:
- IBM Cloud Pak for Data System 2.0 Openshift Container Platform 4
- 2.0.0.0 – 2.0.1.1
- IBM Spectrum Conductor
- 2.4.1
- 2.5.0
- 2.5.1
- IBM Spectrum Symphony
- 7.2, 7.2.0.2
- 7.2.1, 7.2.1.1
- 7.3
- 7.3.1
- 7.3.2
- IBM Security SOAR
- IBM Sterling Global Mailbox (GM)
- 6.0.3 to 6.1.1.0
- IBM Integrated Analytics System
- 1.0.0.0 – 1.0.26.2
- IBM Global High Availability Mailbox
- 6.0.3-6.1.1.0
- IBM Db2 Warehouse
- IBM Disconnected Log Collector
- v1 – v1.7.1
- API Connect
- V10.0.0.0 – V10.0.4.0
- V10.0.1.0 – V10.0.1.5
- V2018.4.1.0 – 2018.4.1.17
- V5.0.0.0 – 5.0.8.12
- IBM Cloud Pak for Data System 2.0 –
- Openshift Container Platform 4
- 2.0.0.0 – 2.0.1
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Execute arbitrary code - Remotely
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-icpds-2-0-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-log4j-ibm-spectrum-conductor-is-vulnerable-to-arbitrary-code-execution-cve-2021-44832-and-cve-2021-45046-and-denial-of-service-cve-2021-45105/
- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-log4j-ibm-spectrum-symphony-is-vulnerable-to-arbitrary-code-execution-cve-2021-44832-and-cve-2021-45046-and-denial-of-service-cve-2021-45105/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-be-vulnerable-to-a-downgrade-attack-because-of-missing-strict-transport-security-headers-for-some-endpoints-cve-2021-29785/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-impacts-ibm-sterling-global-mailbox-cve-2021-45046-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-system-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-global-mailbox-cve-2021-44228-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-released-a-fix-in-response-to-multiple-vulnerabilities-found-in-ibm-db2-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-collector-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-icpds-2-0-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046-and-cve-2021-44832/
- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-cloud-pak-for-data-system-2-0-3/