Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x)

Multiple sub-components of IBM i ship log4j version v1.x files making them vulnerable to the issue described in the vulnerability details section. IBM Navigator for i – heritage version uses log4j v1.x and cannot be updated to log4j v2.x. The CVE can be mitigated by not using the heritage version of IBM Navigator for i. Integrated Web Server (IWS) V2.6 contains unused references to log4j v1.x packages. IBM i 7.2 – Integrated Application Server (IAS) V7.1 & V8.1 and Integrated Web Server (IWS) V1.3 & V1.5 use log4j v1.x and cannot be updated to log4j v2.x. The CVE can be mitigated by not using these servers. IBM i Access Client Solutions (ACS) version 1.1.8.6 and earlier included an unused log4j v1.x jar file. IBM i has addressed the applicable CVE as described in the Remediation/Fixes section or customers can address the applicable CVE as described in the Workarounds and Mitigations section for each of the impacted sub-components.

Verified by MonsterInsights