Impact of Apache Log4j vulnerability CVE-2021-44228 on IBM Mobile Foundation

A vulnerability has been reported in the Apache Log4j open source library in the CVE-2021-44228.

Log4j versions affected All Log4j-core versions >= 2.0-beta9 and <= 2.14.1 are impacted. The versions of Log4j 2 affected are documented in the official Log4j website Apache Log4j Security Vulnerabilities.

Impact on IBM Mobile Foundation

The usage of Log4j has been reviewed with respect to the reported vulnerability as described in CVE-2021-44228 and in the Spring community announcement.

The version of Log4j bundled within IBM MobileFirst Platform Foundation (MFP) 8.0 is 1.x. The vulnerability CVE-2021-44228 does not impact MFP.

Log4j usage in MFP is internal only. Any string posted by an attacker is not passed on and is not printed by the MFP internal components. There is no exposure of any sort irrespective of any user and their privileges.

Impact on WAS/Liberty

The impact of the vulnerability on WebSphere Application Server (WAS)/Liberty is published in a security bulletin. Refer https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-websphere-application-server-cve-2021-44228 for details.

Mitigation strategy for Java adapters usage

For Java adapters usage, follow these instructions as a mitigation strategy.

• If Java adapters include Log4j2 libraries or 3rd party frameworks that include Log4j2 libraries, you should upgrade the Log4j2 versions to Log4j 2.15 immediately and redeploy the Java adapters.
• If you are using a vulnerable version of Log4j2 (versions >=2.0-beta9 and <=2.14.1) and cannot upgrade, you should follow the mitigation strategy detailed in the IBM PSIRT blog in the interim.

Stay tuned for further updates, as we continue to update our findings on this vulnerability and its impact.