December 2021 Security Alert

By now, we hope you have heard about the Log4j2 vulnerability, and that it can affect your IBM i if you are using Log4j2 in any of your applications.

Log4j2 Vulnerability – Need to check if Log4j2 is being used

As with any security vulnerability, one of the best things to do is keep up to date with PTFs. You should be regularly applying IBM PTFs to your system so that known security fixes are installed. If you don’t have the experience to put PTFs on, or you just don’t wish to do it for any reason, we can put PTFs on to your system, either one time, or better on a regular cadence. Contact Ron Dolan at [email protected] for more information.

IBM has no mitigation published except for WAS 8.5 and 9.0. But it is, likely other products of IBM i affected but have not been published yet. All systems are likely affected. Manual remediation is required if using Log4j with custom applications. Get your developers on it to find out if they are using Log4j2 using the instructions below. While we are on the subject, the IBM Product Security Incident Response (PSIRT) website is something to follow. We will be providing updates as they come as well to all our PTF customers.

Review current security bulletins from the IBM Product Security Incident Response (PSIRT) site. https://www.ibm.com/support/pages/node/732299

At this time the CVE-2021-4428 is not listed as an IBM i Apache vulnerability.
https://www.ibm.com/support/pages/node/1170946

The system administrator would determine if they are using the Apache Log4j2 <=2.14.1 modules. (assuming manual download & classloading)
qsh
find /qibm/proddata -name log4j-core-2*.jar
find /qibm/userdata -name log4j-core-2*.jar
F6 to spool output

NIST link below shows how to resolve at this time.
CVE-2021-44228 is still being investigated by the NIST.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Apache.org is tracking as well.
https://logging.apache.org/log4j/2.x/security.html

There is some great details and an explanation about how it is used to exploit data here https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j

Remember, security isn’t a one-and-done process, it’s an ongoing process that must be constantly updated as new vulnerabilities arise. Speaking of which, have you ever had an IBM i security assessment done? You would be surprised at how many security issues we find when we do a security assessment or penetration test. My customers think they are secure, then we show up and show them things that are wrong. Don’t let your security be compromised, the job you save may …

The post December 2021 Security Alert first appeared on iTech Solutions Group.

Verified by MonsterInsights