The announcement of a critical vulnerability has sparked excitement for organizations using the IBM License Metric Tool (ILMT), as ILMT was affected by the Apache Log4j 2 Java Library security breach. The vulnerability was described by the vendor as “critical”.
[More information about the log4j directory and what the CVE-2021-44228 vulnerability covers is available on the Apache Logging Services Project website.]
The security risk affects the VM Manager Tool component of ILMT versions 220.127.116.11 – 18.104.22.168 on all platforms. The official patch, recommended by the vendor, is to install the latest 22.214.171.124 versin update. The patch might remove the Log4j 1.x directory from the server. According to the announcement, this is the preferred way to reduce the vulnerability that means security breach can be eliminated by updating the ILMT server. As a workaround, it is recommended to update the Log4j library or changing the configuration of its current version.
It has been shown since the announcement that installing the latest version alone will not resolve the issue, as the included version 2.15 of the directory is just as affected, so it is always necessary to install version 2.17 manually after the upgrade.
The answer to the question in the title, is that in order to fix the vulnerability, it is not worth upgrading to a new version of ILMT, as it does not solve the problem on its own. Apart of that the yearly upgrade of ILMT is strongly recommended. Compliant and efficient license management is only possible with an up-to-date tool, and according to IBM’s licensing T&Cs require the usage of the latest version.
IPR-Insights provides ongoing IBM license management and license optimization services to several of its key customers, one of the core elements of which is the maintenance of the IBM License Metric Tool.
The use of ILMT is not only an option but also a condition of IBM’s license agreements. If you’re interested in why it’s important, check out our page.