Log4j is continuing to sting big names in the IT industry, with IBM the latest to discover products vulnerable to the Apache Struts logging bug.
Big Blue’s latest advisories cover two security products, Security Guardium, and IBM’s Common Cryptographic Architecture for MTM 4767.
Security Guardium versions 10.5, 10.6, and 11.0 through 11.4 are affected, because they use the Apache utility in their logging infrastructure.
Only one of the multiple vulnerabilities discovered last year affects Security Guardium – CVE-2021-4104, the deserialisation vulnerability in the utility’s JMSAppender.
IBM’s fix for the security environment is an appliance patch which the company says replaces Log4j 1.x with Log4j2 V2.17.1.
In the IBM Common Cryptographic Architecture (CCA), the Log4j bugs affect the Crypto Hardware Initialization and Maintenance (CHIM).
IBM’s advisory lists all four Log4j bugs – CVE-2022-23307, CVE-2022-23302, CVE-2021-4104, and CVE-2022-23305 – as affecting the CCA.
As with Security Guardium, the fix for CCA replaces Log4j 1.x with Log4j2 V2.17.1.
As iTnews explained when the Log4j vulnerability was first discovered: “When a vulnerable application writes to a log file, the default Log4j configuration means the library looks up a server which, if an attacker controls it, can be set to send a malicious response from that system.
“The response can contain a remote Java class file which is injected into the server process and executed with the same privileges as the vulnerable application using the logging library.”
