1,126
edits
Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"
Apache Log4j & CMOD ODWEK ICN (view source)
Revision as of 14:02, 14 December 2021
, 14:02, 14 December 2021Updated with IBM Technote on CMOD log4j - reformatted table and added Comment Field.
m (One last edit.) |
(Updated with IBM Technote on CMOD log4j - reformatted table and added Comment Field.) |
||
| Line 4: | Line 4: | ||
This issue has been assigned the following designation: CVE-2021-44228 and scores a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) | This issue has been assigned the following designation: CVE-2021-44228 and scores a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) | ||
There | There are now official TechNotes from IBM on the CMOD / Log4j issue: | ||
[https://www.ibm.com/support/pages/node/6525888 Is IBM Content Manager OnDemand (CMOD) Version 10.5 impacted by the log4j security vulnerabilities related to CVE-2021-44228?] | |||
[https://www.ibm.com/support/pages/node/6525892 Is IBM Content Manager OnDemand (CMOD) Version 10.1 impacted by the log4j security vulnerabilities related to CVE-2021-44228?] | |||
== Announcements == | == Announcements == | ||
| Line 25: | Line 29: | ||
== Versions Shipped with CMOD == | == Versions Shipped with CMOD == | ||
{| class="mw-collapsible wikitable" style="text-align: center; | {| class="mw-collapsible wikitable" style="text-align: center; | ||
!CMOD Version||Apache Log4j version(s)||Vulnerable version? | !CMOD Version||Apache Log4j version(s)||Vulnerable version? ||Comment | ||
|- | |- | ||
|CMOD & ODWEK v9.0|| N/A || | |CMOD & ODWEK v9.0|| N/A || N/A | ||
|style="text-align: left;|Log4j isn't used in CMOD v9. | |||
|- | |- | ||
|CMOD & ODWEK v9.5|| N/A || | |CMOD & ODWEK v9.5|| N/A || N/A | ||
|style="text-align: left;|Log4j isn't used in CMOD v9. | |||
|- | |- | ||
|CMOD & ODWEK v10.1|| v2.6.x || <span style="color: red;>YES</span> | |CMOD & ODWEK v10.1|| v2.6.x || <span style="color: red;>YES</span> | ||
|style="text-align: left;|Log4j is only included with CMOD v10.1 FP6 and higher.</span> | |||
|- | |- | ||
|CMOD & ODWEK v10.5|| v2.13.x|| <span style="color: red;>YES</span> | |CMOD & ODWEK v10.5|| v2.13.x|| <span style="color: red;>YES</span> | ||
|style="text-align: left;|Log4j is included in the base level and all Fixpacks of CMOD v10.5.</span> | |||
|- | |- | ||
|ICN v2.0.3 || TBD || TBD | |ICN v2.0.3 || TBD || TBD | ||
|- | |- | ||
|ICN v3|| v1.2.x || <span style="color: green;>NO</span> | |ICN v3|| v1.2.x || <span style="color: green;>NO</span> | ||
|style="text-align: left;|ICN v3 is not vulnerable in the default configuration, but sites that have enabled the JMSAppender feature could be exploited. | |||
|} | |} | ||
== Impact == | == Impact == | ||