Apache Log4j vulnerability
Announcement: Apache Log4j vulnerability
We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim.
While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate.
If an IBM product is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)
Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications
If you would like further support or information on this or other IBM announcements please contact us firstname.lastname@example.org