The official site for Saudi CERT
Your review has been sent successfully
IBM Updates
2732
Warning Date
Severity Level
Warning Number
Target Sector
23 December, 2021
● Critical
2021-4136
All
Description:
IBM has released security updates to address several vulnerabilities in the following products:
Products that affected by the Apache Log4j vulnerability:
- IBM Business Automation Workflow
- V21.0
- V20.0
- V19.0
- V18.0
- IBM Business Process Manager
- V8.6
- V8.5
- WebSphere Service Registry and Repository V8.5
- WebSphere Application Server V8.5.5
- IBM Spectrum LSF Application Center
- 10.2
- IBM Spectrum LSF Explorer
- 10.2
- IBM Cloud Pak for Applications, all versions
- WebSphere Application Server
- 9.0
- 8.5
- WebSphere Application Server
- IBM Cloud Pak for Applications
- 4.3 IBM Cloud Transformation Advisor, v2.5.0
- IBM Spectrum LSF
- 10.1.x
- IBM Case Manager
- 5.3CD
- 5.2.1
- 5.2.0
- 5.1.1
- IBM WebSphere Hybrid Edition
- all IBM Cloud Transformation Advisor, v2.5.0
- IBM Sterling Partner Engagement Manager Standard and Essentials
- 6.1.2.3.2 / 6.2.0.1.1
- IBM Cloud Object Storage File Access (COS FA)
- 7.0.0
- Netcool Operations Insight 1.6
- Netcool Operations Insight 1.6
- IBM Netcool Agile Service Manager
- 1.1
- IBM Jazz Reporting Service
- 6.0.6.1
- 7.0
- 6.0.6
- 7.0.1
- ELM
- 7.0.1
- 7.0
- 6.0.6.1
- 6.0.6
- Rhapsody DM
- 6.0.6
- 6.0.6.1
- RMM
- 7.0.1
- 6.0.6.1
- 6.0.6
- 7.0
- RDNG
- 6.0.6.1
- 6.0.6
- 7.0.2
- DOORS Next
- 7.0
- 7.0.1
- Global Configuration Management
- 6.0.6-7.0.1
- RTC
- 6.0.6
- 6.0.6.1
- RELM
- 6.0.6.1
- 6.0.6
- ENI
- 7.0.1
- 7.0
- ETM
- 7.0.1
- 7.0.0
- RQM
- 6.0.6
- EWM
- 7.0.1
- 7.0
- IBM Financial Transaction Manager for SWIFT Services for Multiplatforms
- 3.2.4
- IBM Spectrum Scale
- 5.0.5.0 – 5.0.5.11
- 5.1.0.0 – 5.1.2.1
- IBM Spectrum Scale on AWS Marketplace Spectrum Scale
- 5.0.5.3 BYOL v1.3.1
- IBM Spectrum Scale container native storage access
- All versions
- IBM App Connect Enterprise
- V11.0.0.7 to V11.0.0.15
- IBM App Connect Enterprise
- V12.0.1.0 to V12.0.3.0
- IBM i
- 7.4
- 7.3
- 7.2
- 7.1
- IBM® Db2® On Openshift
- IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data
- App Connect for Manufacturing
- 2.0.0.5 to 2.0.0.7
- IBM Informix Dynamic Server
- 14.10.FC6
- 14.10.FC7
- IBM Informix Dynamic Server
- 12.10.xC15
- App Connect Professional
- 7.5.4.0
- IBM Watson Studio Premium Add On in Cloud Pak for Data
- Watson Machine Learning in Cloud Pak for Data
- IBM Cloud Private
- 3.1.1
- 3.1.2
- 3.2.0
- 3.2.1 CD
- 3.2.2 CD
- IBM Cloud Integration Platform
- IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
- 4.0.0 – 4.0.3
- 1.2.0 -1.2.1 (Cloud Pak 3.5)
- OPENBMC
- OP910
- Operations Dashboard
- IBM Security Access Manager Appliance
- 9.0.0.0 – 9.0.7.2
- IBM Security Access Manager Docker
- 9.0.5.0 – 9.0.7.2
- Netcool/OMNIbus
- 8.1.0.25
- 8.1.0.26
- IBM Tivoli Netcool Impact
- 7.1.0
- SPSS Collaboration and Deployment Services
- 8.3
- Sterling Connect Direct File Agent
- 1.4
- IBM Cognos Controller
- 10.4.2
- IBM Cloud Object Storage Systems
- Long Term Support Release – 3.16.0.53 and Prior 3.16.0 Releases
- Active Release – 3.16.2.57 and Prior 3.16.2 and 3.16.1 Releases
- IBM Planning Analytics Workspace
- 2.0.57 or higher.
- IBM Cloud Application Business Insights
- 1.1.7
- 1.1.6
- 1.1.5
Threats:
An attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Cross-site scripting (XSS)
- Information disclosure
- Redirect a user to a malicious web page
- Remote code execution
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-application-server-shipped-with-ibm-digital-business-automation-workflow-family-products-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-service-registry-and-repository-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j2-affect-ibm-spectrum-lsf-explorer-and-ibm-spectrum-lsf-application-center/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applications-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applications-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j2-affect-ibm-spectrum-lsf-explorer-and-ibm-spectrum-lsf-application-center-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j2-affects-ibm-spectrum-lsf-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-ibm-websphere-application-server-shipped-with-ibm-case-manager-cve-2021-4104-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-hybrid-edition-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-cve-2021-45046-affects-ibm-sterling-partner-engagement-manager/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-cve-2021-45105-and-cve-2021-45046-affect-ibm-cloud-object-storage-file-access/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service-manager-is-affected-by-a-vulnerability-in-apache-log4j-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerability-in-apache-log4j-affects-engineering-lifecycle-management-and-ibm-engineering-products-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-session-fixation-vulnerability-in-ibm-financial-transaction-manager-for-swift-services/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-scale-cve-2021-44228-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-cve-2021-45105/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-control-center-cve-2021-45105/
- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2021-25219/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data-hve-released-a-fix-in-response-to-multiple-vulnerabilities-found-in-ibm-db2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-for-manufacturing-2-0-cve-2021-4104/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-8/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-watson-studio-premium-add-on-in-cloud-pak-for-data-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-telco-network-cloud-manager-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-log4jshell-vulnerability-affects-watson-machine-learning-in-cloud-pak-for-data-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-scale-for-ibm-elastic-storage-server-cve-2021-44228-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-44228-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-api-connect-apic-cve-2021-44228-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-45105-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-integration-platform-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-may-affect-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data-cve-2021-4428/
- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-is-being-released-to-address-cve-2021-38961/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-operations-dashboard-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-4104-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-access-manager-has-fixed-a-vulnerability-in-the-log4j-library-shipped-with-the-product-cve-2021-4104-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-for-manufacturing-2-0-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-a-apache-log4j-vulnerabilitiescve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-rational-clearcase-cve-2021-3711-cve-2021-3712/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-netcool-omnibus-8-1-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-affect-ibm-rational-clearcase-cve-2021-22924/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-multiple-security-vulnerabilities-in-apache-log4j-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-for-manufacturing-2-0-cve-2021-45105/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-ibm-websphere-cast-iron-solution-are-affected-by-openssl-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-9/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affects-spss-collaboration-and-deployment-services/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-affect-ibm-sterling-connectdirect-file-agent-cve-2021-45046-cve-2021-45105/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-virtualization-on-cloud-pak-for-data-is-affected-by-critical-vulnerability-in-log4j-cve-2021-44228/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-45046-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-4-2-if16-apache-log4j-vulnerability-cve-2021-45046-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-affect-ibm-cloud-object-storage-systems-clevos-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-2-0-apache-log4j-vulnerabilities-cve-2021-45046-cve-2021-45105-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impact-ibm-cloud-application-business-insights-cve-2021-45105-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spss-analytic-server-cve-2021-45105-and-cve-2021-45046/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-apache-log4j-shipped-with-ibm-tivoli-netcool-omnibus-common-integration-libraries-cve-2021-4104-cve-2021-45046-cve-2021-44228/
Last updated at 23 December, 2021
Rate the content
Share the page
