Log4j Vulnerability Affects IBM BPM and BAW

Photo by Hugo Jehanne / Unsplash

News media sites have been blowing up this week with news of a critical vulnerability identified in Log4j, a Java logging library that is used in thousands of systems across the world. An attacker can inject a malicious log message which when processed by Log4j, does a lookup and fetch malicious code which executes with the full privileges of the Java application using Log4j.  Because the impact of the exploit (CVE-2021-44228) is so severe (allowing the attacker to take control of an impacted system) and the Log4j library is so ubiquitous, the vulnerability is potentially catastrophic.

How do I mitigate this issue on BPM / BAW servers?

IBM WebSphere and by extension BPM and BAW use Log4j, so if you are using one of these products you have some remediation steps to take. IBM have issued a security bulletin addressing the issue. Several iFixes have been released to fix the problem. You should install the appropriate fixes as soon as possible, noting that this may require you to update cumulative fixes to meet the minimum level.

In summary, there are four items to consider:

  1. WebSphere Traditional 8.5.5.x Layer. Upgrade to the minimum recommended fix pack level (8.5.5.11) and then apply Interim Fix PH42728 using the installation manager.
  2. IBM BPM includes Log4j, but it is only used by one application related to Knowledge Center which is used to access IBM Documentation offline.  You can manually uninstall the application [IBM_BPM_KC_CI_<cluster>] to remediate the impact. There is no impact to BPM or BAW functionality, this only affects the offline product documentation. An iFix has been released to delete the relevant packages and point to online documentation.
  3. Process Federation Server needs to be patched using iFix JR64456
  4. Process Applications should be reviewed to identify which are using Log4j v2. To mitigate the risk on affected apps, one option is to upgrade the server file for Log4j v2 to a patched version (2.16.0).
💡
Note: Updated (12/21/2021): Adding a generic JVM arguments (-Dlog4j2.formatMsgNoLookups=true) has been found to be insufficient. The safest thing to do is to upgrade Log4j to a safe version.

As an additional protection layer, just to cover all apps on the server, you can disable message lookups globally by setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. This can be done by executing this command before applications are loaded, in one of the system startup script:

export LOG4J_FORMAT_MSG_NO_LOOKUPS=true

or by adding LOG4J_FORMAT_MSG_NO_LOOKUPS=true to /etc/environment file.

If you are running BAW on containers, apply cumulative fix IBM Business Automation Workflow V21.0.2-IF006

If you need help with this upgrade, don't hesitate to reach out - we are here to help. Ask in the chat below, or fill out our contact form or schedule a call.

Rama Athreya

Rama Athreya

Austin, TX
Nick Laughton

Nick Laughton