IBM Support

IJ36818: APACHE LOG4J REMOTE CODE EXECUTION VULNERABILITY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • There has been a vulnerability found in Apache Log4j2 library
    v2.16.0 used by Scale/ESS GUI. Apache Log4j2 versions
    2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect
    from uncontrolled recursion from self-referential lookups.
    

Local fix

Problem summary

  • There has been a vulnerability found in Apache Log4j2 library
    v2.16.0 used by Scale/ESS GUI. Apache Log4j2 versions
    2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect
    from uncontrolled recursion from self-referential lookups.
    

Problem conclusion

  • This problem is fixed in 5.1.2  PTF2
    To see all Spectrum Scale APARs and
    their respective fix solutions refer to page
    
    https://public.dhe.ibm.com/storage/spectrumscale/spectrum_scale_
    apars.html
    
    
    Benefits of the solution:
    Applying an efix with upgraded version (v2.17.0) will
    protect customer environment from a DOS attach.
    Work Around:
    None
    Problem trigger:
    Third Party Advisory released by Apache
    Symptom:
    Unexpected Results/Behavior
    Platforms affected:ALL
    Functional Area affected: ALL
    Customer Impact: High Importance
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ36818

  • Reported component name

    SPEC SCALE STD

  • Reported component ID

    5737F33AP

  • Reported release

    512

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-12-21

  • Closed date

    2021-12-21

  • Last modified date

    2021-12-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SPEC SCALE STD

  • Fixed component ID

    5737F33AP

Applicable component levels

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"512","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
22 December 2021