1,126
edits
Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"
Jump to navigation
Jump to search
m
Apache Log4j & CMOD ODWEK ICN (view source)
Revision as of 14:59, 13 December 2021
, 14:59, 13 December 2021Updated to reflect initial feedback from IBM.
m (Added CVSS info to convey the urgency of this issue.) |
m (Updated to reflect initial feedback from IBM.) |
||
| Line 7: | Line 7: | ||
Download the latest version here: [https://logging.apache.org/log4j/2.x/download.html Apache Log4j] | Download the latest version here: [https://logging.apache.org/log4j/2.x/download.html Apache Log4j] | ||
'''UPDATE:''' IBM has responded to a customer ticket, stating that CMOD / ODWEK do not use the JNDI feature of log4j, and *should* not be vulnerable, but still advises customers to upgrade - instructions are pending. | |||
== Announcements == | == Announcements == | ||
| Line 27: | Line 29: | ||
== Versions Shipped with CMOD == | == Versions Shipped with CMOD == | ||
{| class="mw-collapsible wikitable" style="text-align: center; | {| class="mw-collapsible wikitable" style="text-align: center; | ||
!CMOD Version||Apache Log4j version(s)||Vulnerable? | !CMOD Version||Apache Log4j version(s)||Vulnerable version? | ||
|- | |- | ||
|CMOD & ODWEK v9.0|| N/A || <span style="color: green;>NO</span> | |CMOD & ODWEK v9.0|| N/A || <span style="color: green;>NO</span> | ||
| Line 39: | Line 41: | ||
|ICN v2.0.3 || TBD || TBD | |ICN v2.0.3 || TBD || TBD | ||
|- | |- | ||
|ICN v3|| v1.2.x || <span style="color: green;>NO</span> | |ICN v3|| v1.2.x || <span style="color: green;>NO</span>* | ||
|} | |} | ||
* Not vulnerable in the default configuration, but sites that have enabled the JMSAppender feature could be exploited. | |||
== Impact == | == Impact == | ||
| Line 47: | Line 51: | ||
'''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.''' | '''Given that ODWEK is a niche API for a proprietary product, the risk to the data in a CMOD server is low.''' | ||
Here are a list of scenarios, and the likely level of risk to this vulnerability: | Here are a list of scenarios, and the likely level of risk to this vulnerability: (Last updated Dec 13th, 10am) | ||
* An organization with CMOD on their internal network using Windows 'Thick' Clients: ''Very Low'' | * An organization with CMOD on their internal network using Windows 'Thick' Clients: ''Very Low'' | ||
* CMOD and IBM Content Navigator or Line-of-Business apps that reply on ODWEK: ''Low'' | * CMOD and IBM Content Navigator or Line-of-Business apps that reply on ODWEK: ''Low'' | ||
* Line-of-Business apps using CMOD that are exposed to the public internet with proper firewalls & access controls: ''Low | * Line-of-Business apps using CMOD that are exposed to the public internet with proper firewalls & access controls: ''Low '' | ||
* Line-of-Business apps using CMOD that are exposed to the public internet with unrestricted access to the CMOD server: '' | * Line-of-Business apps using CMOD that are exposed to the public internet with unrestricted access to the CMOD server: ''Low'' | ||
* CMOD and ODWEK running on the same server instance / operating system & publicly accessible: '' | * CMOD and ODWEK running on the same server instance / operating system & publicly accessible: ''Medium'' | ||
== Upgrading log4j v2.15.x == | == Upgrading log4j v2.15.x == | ||