Security and the IBM Tools

Let’s talk about security for a minute.

On December 9th last year, a vulnerability in the Log4j library logging tool was announced. If you read or heard about that and thought it was no big deal, please talk to your security team to make sure your company is working to identify and remediate any impacts . This vulnerability is what is known as a Remote Code Execution (RCE) vulnerability from the Log4Shell within Log4j, and is so severe that it is ranked as a severity 10 threat, the highest score possible by the Cybersecurity industry’s rating system.

If you are not a developer, you may not be familiar with Log4j – but you have to understand that it is all over the place – it is a fundamental part of the install in many of the applications we use and take for granted every day – iCloud, Twitter, Amazon, Minecraft, Tesla, and so many more. It’s in at least 31% of all websites.

What about IBM Software?

Yes, some of IBM’s software is also affected, and IBM has been investigating and taking action for potentially impacted IBM products and services since the vulnerability was first reported. Their teams have been releasing remediations as quickly as possible, and wherever possible, the use of Log4j in products or services is being discontinued.

Some of the legacy tools, like ClearCase and ClearQuest, were identified as NOT Impacted. The JAZZ (ELM) tools ARE impacted, and IBM has released a patch to remediate the vulnerability. You can go to the IBM Fix Central and download iFix010, or you can download it from the Jazz website here - Jazz Community Site - Login. If you have not already done so, APPLY THIS NOW - DON’T put this off!

For details on the ELM products and Log4j, see this support link - Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105)

To see what IBM is doing with this issue, review this link -An update on the Apache Log4j 2.x vulnerabilities - IBM PSIRT Blog

Finally, this is a GREAT article on this issue – please take a look at it -

Until next time -
Connect with me on LinkedIn -
My Engineering Tools Demos on YouTube - Engineering Tools Demos - YouTube