WAS | WebSphere 전체 Log4j 보안 취약점 관련 내용 정리
WebSphere 전체 Log4j 보안 취약점 관련 내용 정리
Security Bulletin: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| WebSphere Application Server Liberty | Continuous delivery |
| WebSphere Application Server | 9.0 |
| WebSphere Application Server | 8.5 |
| WebSphere Application Server | 8.0 |
| WebSphere Application Server | 7.0 |
관련 취약점 내용
아래의 이슈 사항을 확인 해보면 되지만 간략하게 정리 했습니다. 전체 플랫폼의 이슈되는 APP는 UDDI.ear 이면 기본적으로 구성을 위해 별도의 설치가 필요합니다.(미 사용중이라 영향도 없음)
결국 9.x kc.war 문제가 되며 해당 APP 경우 관리콘솔 도움말에 사용중 인 것으로 보이며, 문제가 되는 클래스 제거하거나 라이브러리를 제거 하는 식으로 임시 조치를 취하고 있습니다.
1. WebSphere Application Server traditional release 9.0 only:
Remove <WAS_HOME>/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar from any system running the WebSphere admin console and restart the application server.
Note: If any future service (prior to 8.5.5.21 or or 9.0.5.11) is applied to the install the log4j files will be restored without warning.
If the kc.war application has been installed then uninstall it. For instructions on how to determine if kc.war is installed see question Q9 in our Log4Shell (CVE-2021-44228) FAQ.
Remove <WAS_HOME>/installableApps/kc.war
2. All WebSphere Application Server traditional releases:
Users of the UDDI Registry Application: Remove log4j*.jar from within the <WAS_HOME>/installableApps/uddi.ear
archive and update (redeploy) any installed (deployed) copies of the UDDI Registry application.
Users who do not use the UDDI Registry Application should remove <WAS_HOME>/installableApps/uddi.ear
IBM 보고된 내용 링크
https://www.ibm.com/support/pages/node/6526750
3. Log4j 1.x 추가 사항
웹스피어의 경우 이경우가 UDDI.ear 따로 해당 기능을 사용하지 않으면 추가적인 조치가 필요 없음)
Is Log4j 1.x vulnerable
There is still a lot of information coming out surrounding Log4Shell. At the time this blog was published, Apache said that Log4j 1.2 is vulnerable in a similar way when Log4j is configured to use JMSAppender, which is not part of the default configuration, but is not specifically vulnerable to CVE-2021-44228. This vulnerability in Log4j 1.2 has been assigned CVE-2021-4104.
Is there a patch available for Log4j 1.2?
No, Log4j branch 1.x has reached end of life (EOL) status, and therefore does not receive security updates. Users are instructed to upgrade to Log4j 2.12.2 (for Java 7) or 2.16.0 or greater.
How do I address CVE-2021-4104?
There are a few mitigation options that can be used to prevent exploitation of CVE-2021-4104.
- Do not use the JMSAppender in the Log4j configuration
- Remove the JMSAppender class file (org/apache/log4j/net/JMSAppender.class)
- Limit OS user access to prevent an attacker from being able to modify the Log4j configuration
0 Comments:
댓글 쓰기