Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

Latest revision as of 14:33, 17 June 2024

This article discusses IBM Content Manager OnDemand (CMOD), the OnDemand Web Enablement Kit (ODWEK), IBM Content Navigator (ICN) and the Apache Log4j library, for which a Remote Code Execution (RCE) vulnerability is actively being exploited, which can give attackers elevated access, or effective control of the affected servers.

This issue has been assigned the following designation: CVE-2021-44228 and scores a 10 out of 10 on the Common Vulnerability Scoring System (CVSS)

There are now official TechNotes from IBM on the CMOD / Log4j issue:

Is IBM Content Manager OnDemand (CMOD) Version 10.5 impacted by the log4j security vulnerabilities related to CVE-2021-44228?

Is IBM Content Manager OnDemand (CMOD) Version 10.1 impacted by the log4j security vulnerabilities related to CVE-2021-44228?

If your CMOD / ODWEK / ICN solution includes WebSphere, please review the following TechNote: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server

UPDATE: CMOD 10.5 FixPack 4 updates Log4j in all components. See Content Manager OnDemand FixPacks and Security Bulletins for links to IBM Fix Central

Announcements

Here are some announcements from trusted sources of information on software vulnerabilities:

IBM's X-Force assessment of log4j bug

Announcement of the issue on the developer website

National Institute of Standards and Technology

Discussion of log4j v1.x susceptibility to this exploit on GitHub

Affected Versions of Log4j

Versions from v2.0 beta9 through 2.14.x are vulnerable to this exploit.

Your systems should be patched to log4j 2.16 or higher - a second vulnerability was discovered, and the latest versions disables the features by default.

Versions Shipped with CMOD

NOTE: CMOD Fixpacks with the Log4j patch have been released: CMOD Fixpacks for Log4j

CMOD Version	Apache Log4j version(s)	Vulnerable version?	Comment
CMOD & ODWEK v9.0	N/A	N/A	Log4j isn't used in CMOD v9.
CMOD & ODWEK v9.5	N/A	N/A	Log4j isn't used in CMOD v9.
CMOD & ODWEK v10.1	v2.6.x	YES	Log4j is only included with CMOD v10.1 FP6 and higher.
CMOD & ODWEK v10.5	v2.13.x	YES	Log4j is included in the base level and all Fixpacks of CMOD v10.5.
ICN v2.0.3	TBD	TBD
ICN v3	v1.2.x	NO	ICN v3 is not vulnerable in the default configuration, but sites that have enabled the JMSAppender feature could be exploited.

Impact

The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations where the ODWEK Java API is also publicly accessible, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging. In most (reasonable) system architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API between LoB applications that are internet-accessible and Content Manager OnDemand. In the overwhelming majority of system designs, there are firewalls and other access controls on both the external and internal sides of a web server. However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.

Which CMOD components use Apache log4j?: The three components that use the log4j library are the ODWEK Java API, the REST API (new in CMOD v10.5) and the Full Text Search engine. The CMOD server itself doesn't use log4j, so none of the standard operations a CMOD server performs are vulnerable to this exploit, this includes, loading data with arsload, indexing documents with ACIF or the PDF Indexer, migrating data between cache & secondary storage, etc.

How does ODWEK Java API / REST API / FTS use the log4j library?: They are referenced through a classloader.

Is a standalone CMOD server (without IBM HTTP / Websphere / ODWEK / REST API / FTS configured) vulnerable?: No, CMOD itself does not call or use log4j.

Where do I need to install the new version of the Apache log4j library?: Anywhere that you have installed CMOD - this includes: all CMOD servers, WebSphere/Tomcat/HTTP servers with CMOD, ODWEK, or the REST API components, and development servers for line-of-business applications that use ODWEK/REST APIs.

Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.

Here are a list of scenarios, and the likely level of risk to this vulnerability: (Last updated Dec 13th, 10am)

An organization with CMOD on their internal network using Windows 'Thick' Clients: Very Low
CMOD and IBM Content Navigator or Line-of-Business apps that reply on ODWEK: Low
Line-of-Business apps using CMOD that are exposed to the public internet with proper firewalls & access controls: Low
Line-of-Business apps using CMOD that are exposed to the public internet with unrestricted access to the CMOD server: Low
CMOD and ODWEK running on the same server instance / operating system & accessible to the internet: Medium

Upgrading log4j v2.16.x

You can download the latest version of Apache log4j here: https://logging.apache.org/log4j/2.x/download.html

Please refer to IBM's Technotes for v10.1 and v10.5 for instructions on upgrading log4j on your CMOD and ODWEK installations.

@@ Line 1: / Line 1: @@
 {{TOCright}}
-This article discusses IBM Content Manager OnDemand (CMOD), the OnDemand Web Enablement Kit (ODWEK), IBM Content Navigator (ICN) and the Apache Log4j library, for which a Remote Code Execution (RCE) vulnerability is actively being exploited, which can give attackers control of the affected servers.
+This article discusses IBM Content Manager OnDemand (CMOD), the OnDemand Web Enablement Kit (ODWEK), IBM Content Navigator (ICN) and the Apache Log4j library, for which a Remote Code Execution (RCE) vulnerability is actively being exploited, which can give attackers elevated access, or effective control of the affected servers.
-'''Please upgrade as soon as possible, this vulnerability is being actively exploited on publicly facing systems.'''
+This issue has been assigned the following designation:  CVE-2021-44228 and scores a 10 out of 10 on the Common Vulnerability Scoring System (CVSS)
-This issue has been assigned the following designation:  CVE-2021-44228
+There are now official TechNotes from IBM on the CMOD / Log4j issue:
+[https://www.ibm.com/support/pages/node/6525888 Is IBM Content Manager OnDemand (CMOD) Version 10.5 impacted by the log4j security vulnerabilities related to CVE-2021-44228?]
+[https://www.ibm.com/support/pages/node/6525892 Is IBM Content Manager OnDemand (CMOD) Version 10.1 impacted by the log4j security vulnerabilities related to CVE-2021-44228?]
+If your CMOD / ODWEK / ICN solution includes WebSphere, please review the following TechNote: [https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-apache-log4j-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-cve-2021-4104-cve-2021-45046 Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server]
+UPDATE:  CMOD 10.5 FixPack 4 updates Log4j in all components.  See [[Main_Page#IBM_CMOD_Fixpacks_.26_Security_Bulletins|Content Manager OnDemand FixPacks and Security Bulletins]] for links to IBM Fix Central
 == Announcements ==
+Here are some announcements from trusted sources of information on software vulnerabilities:
-https://logging.apache.org/log4j/2.x/security.html
+[https://exchange.xforce.ibmcloud.com/collection/Apache-Log4j-Zero-Day-Vulnerability-4daa3df4f73a51590efced7fb90bc949 IBM's X-Force assessment of log4j bug]
-https://cve.circl.lu/cve/CVE-2021-44228
+[https://logging.apache.org/log4j/2.x/security.html Announcement of the issue on the developer website]
+[https://nvd.nist.gov/vuln/detail/CVE-2021-44228 National Institute of Standards and Technology]
+[https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 Discussion of log4j v1.x susceptibility to this exploit on GitHub]
 == Affected Versions of Log4j ==
 Versions from v2.0 beta9 through 2.14.x are vulnerable to this exploit.
+Your systems should be patched to log4j 2.16 or higher - a second vulnerability was discovered, and the latest versions disables the features by default.
 == Versions Shipped with CMOD ==
-;Content Manager OnDemand / CMOD / ODWEK v10.1
+'''''NOTE:''''' CMOD Fixpacks with the Log4j patch have been released:  [[Main_Page#IBM_CMOD_Fixpacks_.26_Security_Bulletins|CMOD Fixpacks for Log4j]]
-: Ships with Apache log4j v2.6.1
-; Content Manager OnDemand / CMOD / ODWEK v10.5
+{| class="mw-collapsible wikitable" style="text-align: center;
-: Ships with Apache log4j v2.13.0
+!CMOD Version||Apache Log4j version(s)||Vulnerable version?&nbsp;||Comment
+|-
+|CMOD & ODWEK v9.0|| N/A || N/A
+|style="text-align: left;|Log4j isn't used in CMOD v9.
+|-
+|CMOD & ODWEK v9.5|| N/A || N/A
+|style="text-align: left;|Log4j isn't used in CMOD v9.
+|-
+|CMOD & ODWEK v10.1|| v2.6.x || <span style="color: red;>YES</span>
+|style="text-align: left;|Log4j is only included with CMOD v10.1 FP6 and higher.</span>
+|-
+|CMOD & ODWEK v10.5|| v2.13.x|| <span style="color: red;>YES</span>
+|style="text-align: left;|Log4j is included in the base level and all Fixpacks of CMOD v10.5.</span>
+|-
+|ICN v2.0.3 || TBD || TBD
+|-
+|ICN v3|| v1.2.x || <span style="color: green;>NO</span>
+|style="text-align: left;|ICN v3 is not vulnerable in the default configuration, but sites that have enabled the JMSAppender feature could be exploited.
+|}
-; IBM Content Navigator v2.0.3
+== Impact ==
-: Ships with an unknown version of log4j
+The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations where the ODWEK Java API is also publicly accessible, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging.  In most (reasonable) system architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API between LoB applications that are internet-accessible and Content Manager OnDemand.  In the overwhelming majority of system designs, there are firewalls and other access controls on both the external and internal sides of a web server.  However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.
+; Which CMOD components use Apache log4j?
+: The three components that use the log4j library are the ODWEK Java API, the REST API (new in CMOD v10.5) and the Full Text Search engine.  The CMOD server itself doesn't use log4j, so none of the standard operations a CMOD server performs are vulnerable to this exploit, this includes, loading data with arsload, indexing documents with ACIF or the PDF Indexer, migrating data between cache & secondary storage, etc.
+; How does ODWEK Java API / REST API / FTS use the log4j library?
+: They are referenced through a classloader.
-: IBM Content Navigator v3.0
+; Is a standalone CMOD server (without IBM HTTP / Websphere / ODWEK / REST API / FTS configured) vulnerable?
-: Ships with an unknown version of log4j
+: No, CMOD itself does not call or use log4j.
-== Impact ==
+; Where do I need to install the new version of the Apache log4j library?
-The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging.  In most (reasonable) architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API between LoB applications that are internet-accessible and Content Manager OnDemand.  In the overwhelming majority of architectures, there are firewalls and other access controls on both the external and internal sides of a web server.  However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.
+: Anywhere that you have installed CMOD - this includes: all CMOD servers, WebSphere/Tomcat/HTTP servers with CMOD, ODWEK, or the REST API components, and development servers for line-of-business applications that use ODWEK/REST APIs.
-'''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.'''
+''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.''
-Here are a list of scenarios, and the likely level of risk to this vulnerability:
+Here are a list of scenarios, and the likely level of risk to this vulnerability:  (Last updated Dec 13th, 10am)
 * An organization with CMOD on their internal network using Windows 'Thick' Clients:  ''Very Low''
 * CMOD and IBM Content Navigator  or Line-of-Business apps that reply on ODWEK: ''Low''
-* CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Medium''
+* Line-of-Business apps using CMOD that are exposed to the public internet with proper firewalls & access controls: ''Low ''
-* CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: ''High''
+* Line-of-Business apps using CMOD that are exposed to the public internet with unrestricted access to the CMOD server: ''Low''
+* CMOD and ODWEK running on the same server instance / operating system & accessible to the internet:  ''Medium''
+== Upgrading log4j v2.16.x ==
+You can download the latest version of Apache log4j here:  https://logging.apache.org/log4j/2.x/download.html
+Please refer to IBM's Technotes for [https://www.ibm.com/support/pages/node/6525892 v10.1] and [https://www.ibm.com/support/pages/node/6525888 v10.5] for instructions on upgrading log4j on your CMOD and ODWEK installations.