An update on the Apache Log4j CVE-2021-44228 vulnerability – IBM PSIRT Blog

Share this post:

IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). We are investigating and taking action for IBM as an enterprise, IBM products and IBM services that may be potentially impacted, and will continually publish information to help customers detect, investigate and mitigate attacks, if any, to their IBM products and services.

 

IBM Enterprise
IBM is continuing to inventory our products and systems potentially impacted by the vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.

 

IBM Software and Systems Products
IBM is continuing a product-by-product analysis for Log4j impacts. If an IBM Software or Systems product is impacted, there will be a bulletin posted on this blog as a remediation or fix becomes available. Such on-premise IBM products will then have to be updated by the customer.

 

IBM Consulting 
IBM Consulting will continue to work directly with its clients in support of the remediation of custom applications and services through its normal delivery center and platform support processes.

 

 

The IBM Managed Security Services (MSS) organization also is reviewing all systems to eliminate the vulnerability. The team is tracking patch releases for impacted platforms that IBM Security Services manages. Clients may see Security Advisory tickets and requests to patch managed devices in the MSS portal.

 

 

IBM Cloud and as-a-Service Products
For IBM Cloud services, IBM is remediating managed as-a-service Cloud offerings as applicable, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.

 

Clients of IBM Cloud’s Classic and VPC Virtual Machine services are responsible for remediating any Log4j vulnerabilities in code running inside those Virtual Machines. IBM Cloud based virtual machine images and package repositories are being updated wherever they contain the vulnerable code.

 

For the portion of IBM Cloud services using Java technologies, IBM is continuing to assess and remediate any remaining services using Log4j and validate that mitigating controls remain effective.

 

IBM’s recommendations to its clients:

At this time, IBM recommends organizations running Apache Log4j take the following actions: 

Check for vulnerable versions of Apache Log4j in your environments and applications.Implement latest patch to production environments as soon as possible. Monitor IBM PSIRT for security bulletinsMonitor for vendor patches as they become available

 

 

Per the Apache Log4j security vulnerability advisory, the following temporary mitigations may provide interim protection for clients who are unable to upgrade Log4j in their workloads quickly: 

 

In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.