Description:

IBM has released security updates to address several vulnerabilities in the following products:

• Sterling Connect Direct Web Services
  • 1.0
• IBM Connect:Direct Web Services
  • 6.0
• IBM Cloud Pak for Multicloud Management Monitoring
  • before 2.3 Fix Pack 2
• IBM Spectrum Protect for Space Management
  • 8.1.11.0-8.1.13.0
  • 7.1.8.10-7.1.8.11
• IBM Spectrum Protect Backup-Archive Client
  • 8.1.11.0-8.1.13.0
  • 7.1.8.10-7.1.8.12
• IBM Spectrum Protect for Virtual Environments: Data Protection for VMware
  • 8.1.11.0-8.1.13.0 see Note 2
  • 7.1.8.10-7.1.8.12
• IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V
  • 8.1.11.0-8.1.13.0
• Sterling Configure, Price, Quote
  • 10.X
• IBM Spectrum Protect Snapshot for Windows (formerly IBM Tivoli Storage FlashCopy Manager for Windows)
  • 8.1.11.0-8.1.13.0
• IBM Tivoli Storage FlashCopy Manager for Windows
  • 4.1.6.10-4.1.6.x
  • ICP4A
  • V19.x
  • V20.x
  • V21.0.1
  • V21.0.2 before 21.0.2-IF006
  • V21.0.3 before 21.0.3-IF001
• Automation Assets in IBM Cloud Pak for Integration (CP4I)
  • 2021.2.1
  • 2021.4.1
• IBM Cloud Application Business Insights
  • 1.1.7
  • 1.1.6
  • 1.1.5
• IBM Spectrum Protect Snapshot for VMware
  • 4.1.6.10-4.1.6.12
• IBM Cloud APM, Base Private
  • 8.1.4
• IBM Cloud APM, Advanced Private
  • 8.1.4
• IBM Cloud APM
  • 8.1.4

Threats:

An attacker could exploit these vulnerabilities by doing the following:

• Denial of service attack (DoS)
• Remote code execution

Best practice and Recommendations:

The CERT team encourages users to review IBM security advisory and apply the necessary updates:

• https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-connectdirect-web-services-cve-2021-44228/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-has-patched-several-open-source-dependencies/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-websphere-application-server-affect-the-ibm-performance-management-product/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-for-space-management-cve-2021-44228-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-44228-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-configure-price-quote-uses-apache-log4j-2-x-which-is-subject-to-cve-2021-44228/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-snapshot-on-windows-cve-2021-44228-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-performance-management-products-8/
• https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-cloud-pak-for-automation-cve-2021-44228-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-log4j-cve-2021-44228-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-db2-that-affect-the-ibm-performance-management-product-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-log4j-affects-ibm-cloud-application-business-insights-cve-2021-44228/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-snapshot-for-vmware-cve-2021-44228-2/

For more information about the Apache Log4j vulnerability:

• https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/