IBM Alert
3046Warning Date
Severity Level
Warning Number
Target Sector
6 January, 2022
● Critical
2022-4166
All
IBM has released security updates to address several vulnerabilities in the following products:
Products that affected by the Apache Log4j vulnerability:
- IBM Tivoli System Automation Application Manager
- 4.1
- BM Cloud Pak for Multicloud Management Security Services
- Before 2.3 Fixpack 3
- IBM Cloud Pak for Multicloud Management Monitoring
- Before 2.3 Fixpack 3
- IBM Cloud APM, Base Private
- 8.1.4
- IBM Cloud APM, Advanced Private
- 8.1.4
- IBM Jazz Reporting Service
- 6.0.6.1
- 7.0
- 6.0.6
- 7.0.1
- RELM
- 6.0.6.1
- 6.0.6
- ENI
- 7.0.1
- 7.0
- Global Configuration Management
- 6.0.6-7.0.1
- RQM
- 6.0.6.1
- 6.0.6
- ETM
- 7.0.1
- 7.0.0
- EWM
- 7.0.1
- 7.0
- RTC
- 6.0.6.1
- 6.0.6
- DOORS Next
- 7.0
- 7.0.1
- RDNG
- 6.0.6.1
- 6.0.6
- 7.0.2
- RMM
- 7.0.1
- 6.0.6.1
- 6.0.6
- 7.0
- Rhapsody DM
- 6.0.6
- 6.0.6.1
- ELM
- 7.0.1
- 7.0
- 6.0.6.1
- 6.0.6
- IBM Spectrum Protect for Space Management
- 8.1.11.0-8.1.13.1
- 7.1.8.10-7.1.8.13
- IBM Sterling Partner Engagement Manager Standard and Essentials
- 6.1.2.3.3
- 6.2.0.1.2
- IBM Sterling Connect:Direct for zOS
- 6.2
- IBM Spectrum Protect Snapshot for Windows (formerly IBM Tivoli Storage FlashCopy Manager for Windows)
- 8.1.11.0-8.1.13.1
- IBM Tivoli Storage FlashCopy Manager for Windows
- 4.1.6.10-4.1.6.x
- IBM Spectrum Protect Backup-Archive Client
- 8.1.11.0-8.1.13.1
- 7.1.8.10-7.1.8.13
- IBM Spectrum Protect for Virtual Environments: Data Protection for VMware
- 8.1.11.0-8.1.13.1
- 7.1.8.10-7.1.8.13
- IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V
- 8.1.11.0-8.1.13.1
- IBM Tivoli Monitoring
- 6.3.0 fix pack 7 service pack 5
- RFT
- 9.1
- 9.2
- 9.5
- IBM Security Verify Access
- 10.0.0
- IBM Tivoli Monitoring
- 6.3.0
An attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Disclose sensitive information
- Remote code execution
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-mulitple-apache-log4j-vulnerabilities-impact-ibm-tivoli-system-automation-application-manager-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-has-applied-security-fixes-for-its-use-of-log4j-for-cve-2021-44228-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-45105-affects-the-ibm-performance-management-product/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-functional-tester-6/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-44832-affects-the-ibm-performance-management-product/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerability-in-apache-log4j-affects-engineering-lifecycle-management-and-ibm-engineering-products-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-fixed-in-ibm-security-verify-access/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-for-space-management-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-installed-websphere-application-server-including-log4j/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-impacts-ibm-sterling-partner-engagement-manager-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-connectdirect-for-z-os-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-snapshot-on-windows-cve-2021-45105-and-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-impact-ibm-sterling-connectdirect-for-z-os-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-log4j-may-affect-ibm-tivoli-monitoring-installed-websphere-application-server-cve-2021-44228-2/
- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/