There is a vulnerability in the Apache Log4j open source library used by WebSphere Application Server. This affects the WebSphere Application Server Admin Console and the UDDI Registry Application. This vulnerability has been addressed.
For WebSphere Application Server traditional:
For V9.0.0.0 through 9.0.5.10:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42728
–OR–
· Apply Fix Pack 9.0.5.11 or later (when available).
For V8.5.0.0 through 8.5.5.20:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42728
–OR–
· Apply Fix Pack 8.5.5.21 or later (when available).
Additional interim fixes may be available and linked off the interim fix download page.
Note: WebSphere Application Server 7.0 and 8.0 reached End of Support on April 30, 2018 and the embedded IBM Java SDK is no longer receiving security updates. Current information is that the version of log4j included in WebSphere Application Server 7.0 and 8.0 is not impacted by CVE-2021-44228. IBM recommends all users running 7.0 and 8.0 upgrade to 8.5.5, 9.0 or WebSphere Liberty.
Recommendation
Set the JVM custom property log4j2.formatMsgNoLookups to the value true
For WebSphere Application Server v9.0 and V8.5:
If the interim fixes in PH42728 cannot be applied immediately, then follow ALL of the temporary mitigation steps below:
1. Recommended: Update the IBM® SDK, Java™ Technology Edition maintenance to the latest recommended fix pack, or a minimum of 7.0.10.35, 7.1.4.35, or 8.0.5.25. You can get the latest IBM Java fix pack for WebSphere here: https://www.ibm.com/support/pages/node/587245 (9.0) & https://www.ibm.com/support/pages/node/6209712 (8.5)
2. For WebSphere Application Server v9.0 only: Remove <WAS_HOME>/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar from any system running the WebSphere admin console
- The files will need to be removed again if fixpacks are applied prior to PH42728 being installed.
- After removing the files, restart the application server running the Admin Console.
3. Set the JVM custom property log4j2.formatMsgNoLookups to the value true
- For information on setting custom JVM custom properties in WebSphere Application Server, see https://www.ibm.com/docs/en/was-nd/9.0.5?topic=jvm-java-virtual-machine-custom-properties
- After setting the JVM custom property, restart the application server.
4. If the “kc.war” application has been installed (deployed) to any application server (separately from isclite.ear), it must be manually uninstalled via the the Admin Console or wsadmin.