Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"

From CMOD.wiki
Jump to navigation Jump to search
Line 41: Line 41:
* An organization with CMOD on their internal network using Windows 'Thick' Clients:  ''Very Low''
* An organization with CMOD on their internal network using Windows 'Thick' Clients:  ''Very Low''
* CMOD and IBM Content Navigator  or Line-of-Business apps that reply on ODWEK: ''Low''
* CMOD and IBM Content Navigator  or Line-of-Business apps that reply on ODWEK: ''Low''
* CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Medium''
* CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: ''Low to Medium''
* CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: ''High''
* CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: ''High''
== Questions for IBM ==
Here are a few questions we've sent to IBM:
*Is log4j used for any purpose on a standalone CMOD server, or is it used exclusively for ODWEK?
*For ODWEK, in which situations/configurations would log4j be accessible to an API consumer?
*ICN v3 ships with Log4j 1.2.15, and is not included in this CVE due to being EOL'd earlier this year, so it's unknown if this version is affected.  Is it possible top upgrade log4j to the patched version?
*For ICN, in which situations/configurations would log4j be accessible to an API consumer?
*Are their architectural mitigations that can be put in place?  (Blocking firewall ports, specific URLs, changing the location of libraries, etc.)
*Will IBM provide an interim fix for this issue, or advise clients to patch log4j on their own?
If you have questions you'd like to see answered, find us on Twitter:  https://Twitter.com/CMODwiki

Revision as of 07:57, 11 December 2021

This article discusses IBM Content Manager OnDemand (CMOD), the OnDemand Web Enablement Kit (ODWEK), IBM Content Navigator (ICN) and the Apache Log4j library, for which a Remote Code Execution (RCE) vulnerability is actively being exploited, which can give attackers control of the affected servers.

Please upgrade as soon as possible, this vulnerability is being actively exploited on publicly facing systems.

This issue has been assigned the following designation: CVE-2021-44228

Announcements

https://logging.apache.org/log4j/2.x/security.html

https://cve.circl.lu/cve/CVE-2021-44228

Affected Versions of Log4j

Versions from v2.0 beta9 through 2.14.x are vulnerable to this exploit.

The version that includes the fix is v2.15.x and above, released December 10th, 2021.

Versions Shipped with CMOD

Content Manager OnDemand / CMOD / ODWEK v10.1
Ships with Apache log4j v2.6.1
Content Manager OnDemand / CMOD / ODWEK v10.5
Ships with Apache log4j v2.13.0
IBM Content Navigator v2.0.3
Ships with log4j - v1.x - check back for updates
IBM Content Navigator v3.0
Ships with log4j v1.2.15 - not affected

Impact

The largest impact is to systems that have publicly-facing IBM Content Navigator (ICN) installations, or line-of-business (LoB) apps (like client/customer portals) that rely on Log4j to provide logging. In most (reasonable) architectures, ODWEK itself is not exposed to the public internet, and instead, is used as an intermediate API between LoB applications that are internet-accessible and Content Manager OnDemand. In the overwhelming majority of architectures, there are firewalls and other access controls on both the external and internal sides of a web server. However, if an attacker was able to obtain an elevated level of access to a web server, they may be able to use that elevated access to attempt to exploit ODWEK.

Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.

Here are a list of scenarios, and the likely level of risk to this vulnerability:

  • An organization with CMOD on their internal network using Windows 'Thick' Clients: Very Low
  • CMOD and IBM Content Navigator or Line-of-Business apps that reply on ODWEK: Low
  • CMOD with ICN or Line-of-Business apps exposed to the public internet with proper firewalls & access controls: Low to Medium
  • CMOD with ICN or Line-of-Business apps exposed to the public internet with unrestricted access to the CMOD server: High

Questions for IBM

Here are a few questions we've sent to IBM:

  • Is log4j used for any purpose on a standalone CMOD server, or is it used exclusively for ODWEK?
  • For ODWEK, in which situations/configurations would log4j be accessible to an API consumer?
  • ICN v3 ships with Log4j 1.2.15, and is not included in this CVE due to being EOL'd earlier this year, so it's unknown if this version is affected. Is it possible top upgrade log4j to the patched version?
  • For ICN, in which situations/configurations would log4j be accessible to an API consumer?
  • Are their architectural mitigations that can be put in place? (Blocking firewall ports, specific URLs, changing the location of libraries, etc.)
  • Will IBM provide an interim fix for this issue, or advise clients to patch log4j on their own?

If you have questions you'd like to see answered, find us on Twitter: https://Twitter.com/CMODwiki

Retrieved from "https://CMOD.wiki/index.php?title=Apache_Log4j_%26_CMOD_ODWEK_ICN&oldid=1019"