1,126
edits
Difference between revisions of "Apache Log4j & CMOD ODWEK ICN"
Apache Log4j & CMOD ODWEK ICN (view source)
Revision as of 16:34, 13 December 2021
, 16:34, 13 December 2021Re-organized opening paragraphs.
(Added CMOD log4j FAQs) |
m (Re-organized opening paragraphs.) |
||
| Line 1: | Line 1: | ||
{{TOCright}} | {{TOCright}} | ||
This article discusses IBM Content Manager OnDemand (CMOD), the OnDemand Web Enablement Kit (ODWEK), IBM Content Navigator (ICN) and the Apache Log4j library, for which a Remote Code Execution (RCE) vulnerability is actively being exploited, which can give attackers elevated access, or effective control of the affected servers. | This article discusses IBM Content Manager OnDemand (CMOD), the OnDemand Web Enablement Kit (ODWEK), IBM Content Navigator (ICN) and the Apache Log4j library, for which a Remote Code Execution (RCE) vulnerability is actively being exploited, which can give attackers elevated access, or effective control of the affected servers. | ||
This issue has been assigned the following designation: CVE-2021-44228 and scores a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) | This issue has been assigned the following designation: CVE-2021-44228 and scores a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) | ||
'''UPDATE:''' IBM has responded to a customer ticket, stating that CMOD / ODWEK do not use the JNDI feature of log4j, and *should* not be vulnerable, but still advises customers to upgrade. | |||
Follow the upgrade instructions here: [[Apache_Log4j_%26_CMOD_ODWEK_ICN#Upgrading_log4j_v2.15.x|Upgrading log4j]] | |||
== Announcements == | == Announcements == | ||