Month: December 2021

Posted on

A note on the global “log4j” security vulnerability

A note on the global “log4j” security vulnerability
rswanson
Wed, 12/15/2021 – 17:30

Posted on December 15, 2021

This week brought news of an exploitable hack to which certain applications executing Java may be vulnerable. Specifically, any applications using the popular Apache log4j logging tool may, under certain circumstances, be exposed to hackers executing nefarious code on their servers. This includes applications running on IBM i.

While Valence does include a version of log4j for logging JDBC connection info when accessing remote databases through Nitro App Builder or the vvOut_execSQLtoJSON RPG Toolkit procedure, the log4j version Valence uses, 1.2.17, predates the exploitable functionality introduced in log4j version 2.0. Additionally, in Valence Java is used only as a backend-callable utility, which for remoteDB support runs inside a standalone non-CGI batch job called VBCH**** or VRMT****, and is not directly callable in any way from the UI. So there should be nothing to be concerned with insofar as Valence goes.

That said, out of an abundance of caution, the latest Valence 6 build (6.0.20211209.1) includes an update to the remoteDB logic that drops the use of the log4j utility entirely, using an alternative method to log JDBC activity into a log file. So once you download and install this build onto your system, you will have eliminated Valence’s use of any log4j routines altogether.

However you may still have other third party applications or custom programs using Java on your system that need to be addressed. As a quick stopgap measure, you can apply a system-level environment variable to disable JNDI lookups in more recent versions of log4j:

ADDENVVAR ENVVAR(LOG4J_FORMAT_MSG_NO_LOOKUPS) VALUE(‘true’) REPLACE(*YES) LEVEL(*SYS)

Even with this environment variable in place, it would be advisable to reach out to any third party application providers that may be using log4j on your system to see if they have a patch, which may include updating to log4j version 2.15.

For further information, IBM’s open source guru Jesse Gorzinski has published an article at Tech Channel with an IBM i-centric overview of the log4j problem, which includes a link to a piece by database guru Scott Forstie showing how to use SQL to locate any reference to “log4j” in your IFS. The folks at iTech Solutions Group have also provided simple instructions for manually scanning the IFS to find potentially vulnerable versions of log4j.

Posted on

You searched for 2021-44228 – Page 2 of 5

Search Results for “2021-44228”

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228)

Dec 15, 2021 7:04 pm EST | Critical Severity

Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the log4j library. Updating log4j to a version 2.15.0 or higher also addresses CVE-2021-4104. …read more

Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2021-44228)

Dec 15, 2021 7:04 pm EST | Critical Severity

Log4j is used by IBM Watson Explorer to log system events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading Watson Explorer and thus addressing the exposure to the log4j vulnerability. …read more

Security Bulletin: Vulnerability in Apache Log4j addressed in IBM Spectrum Symphony

Dec 15, 2021 7:03 pm EST | Critical Severity

Log4j is used by IBM Spectrum Symphony for generating logs in some of its components. This bulletin provides mitigations for the Log4Shell vulnerability (CVE-2021-44228) by applying the applicable workaround to IBM Spectrum Symphony. …read more

Security Bulletin: IBM Planning Analytics 2.0: Apache log4j Vulnerability (CVE-2021-44228)

Dec 15, 2021 7:03 pm EST | Critical Severity

Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability. …read more

Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC

Dec 15, 2021 7:02 pm EST | Critical Severity

Log4j is used by IBM Power Hardware Management Console (HMC) for logging system/application events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading IBM Power Hardware Management Console (HMC) respective PTF and thus addressing the exposure to the log4j vulnerability. …read more

Security Bulletin: IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 may be affected by the log4j vulnerability (CVE-2021-44228)

Dec 15, 2021 7:01 pm EST | Critical Severity

The IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 product ships the One-time Password component which embeds a vulnerable version of the log4j library. This has been fixed in the latest supported versions of the product. Customers should move up to the latest supported versions. …read more

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

Dec 15, 2021 7:00 pm EST | Critical Severity

IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability. …read more

Security Bulletin: i2 Analyze, i2 Connect and Analyst’s Notebook Premium are affected by the Log4j vulnerability (CVE-2021-44228)

Dec 15, 2021 7:00 pm EST | Critical Severity

Log4j is used by i2 Analyze and i2 Connect for general purpose and application error logging. It is also used in Analyst’s Notebook Premium when the chart store is deployed. This bulletin provides mitigation for the reported CVE-2021-44228 by providing configuration that addresses Log4j being vulnerable. …read more

Security Bulletin: IBM Cognos Controller 10.4.2 IF15: Apache log4j Vulnerability (CVE-2021-44228)

Dec 15, 2021 5:35 pm EST | Critical Severity

IBM Cognos Controller is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability. …read more

Previous12345Next

Posted on

Read the Forrester study to learn more about the potential ROI of @IBM i for businesses when deploying the #IBM i #operatingsystem on #IBMPower Systems in hardware or in the cloud >>> #IBMi #datastorage #hybridcloud #cloudtechnology

Read the Forrester study to learn more about the potential ROI of @IBM i for businesses when deploying the #IBM i #operatingsystem on #IBMPower Systems in hardware or in the cloud >>> bit.ly/3HpUTmT

#IBMi #datastorage #hybridcloud #cloudtechnology pic.twitter.com/wQawAdiGUU

– Mid-Range (@MidRange1)12:18 – Dec 15, 2021

Posted on

Progressive Web Apps: Create a Universal Experience Across All Devices

Welcome the progressive web application—a way to create a universal experience across mobile and desktop alike and to view and utilize the web in a completely new way while increasing your marketability.
However, what you should know is that many of the standards that make progressive web applications possible are not new, but with the emergence of key technologies such as the service worker, PWAs are more poised than ever to create scalable, reliable, and flexible experiences within the browser.

Posted on

My SimpleLogger can be a Replacement for Log4J

In this blog post, don’t get me wrong, I think Log4J is a great product and I am not trying to discourage anyone from using it.

I have used Log4J v1.x on hundreds of projects for customers and myself. It has always worked exactly as expected. I have never used Log4J v2.x, so I cannot/will not comment on the current security vulnerability that has been discovered.

All of the logging I have configured for use with Log4J has been extremely basic. I use the basic appender and have it write to a file. That’s it. Basically, I am using probably 5% of the available features. So, over time, I have been slowing moving away from Log4J and just using my own simple logger because that is all I have ever needed.

So, this week I spent some time prettying up my SimpleLogger code. It was written in a similar style to Log4J but there is no configuration file for it. The code is thread-safe and can be used in any project that requires simple logging code.

public static void setLogFile(String logFileName)
public static void setLogFile(String logFileName, String logDirectory)
public static void close()
public static void setIncludePackageName(boolean flag)
public static void setLevel(LogLevel ll)
public static void setMaxBackupFiles(int maxCount)
public static void setMaxFileSize(int maxSize)
public static void setRotationType(LogRotationType rt)
public static void error(Object data)
public static void warn(Object data)
public static void info(Object data)
public static void debug(Object data)
public static void errorDump(String title, Object data)
public static void warnDump(String title, Object data)
public static void infoDump(String title, Object data)
public static void debugDump(String title, Object data)

Here is a simple tester Java program that shows how to use the various methods:

package com.capitalware.logging;

import com.capitalware.logging.SimpleLogger.*;

/**
* This class will test the SimpleLogger class.
*
* @author Roger Lacroix, Capitalware Inc.
* @version 1.0.0
* @license Apache 2 License
*/
public class Test_Logger
{
public Test_Logger()
{
SimpleLogger.setLogFile(“Test_Logger.log”, “C:\temp\”);
SimpleLogger.setLevel(LogLevel.DEBUG);
SimpleLogger.setRotationType(LogRotationType.SIZE);
SimpleLogger.setIncludePackageName(false);

SimpleLogger.error(“this is a test message for error.”);
SimpleLogger.warn(“this is a test message for warn.”);
SimpleLogger.info(“this is a test message for info.”);
SimpleLogger.debug(“this is a test message for debug.”);

SimpleLogger.debugDump(“Kids song”, “Mary had a little lamb, Little lamb, little lamb, Mary had a little lamb Whose fleece was white as snow.”.getBytes());

SimpleLogger.close();
}

public static void main(String[] args)
{
new Test_Logger();
}
}

Here’s what the output looks like in the log file:

2021/12/15 20:27:58.187 ERROR (Test_Logger.<init>) this is a test message for error.
2021/12/15 20:27:58.188 WARN (Test_Logger.<init>) this is a test message for warn.
2021/12/15 20:27:58.188 INFO (Test_Logger.<init>) this is a test message for info.
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) this is a test message for debug.
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) Kids song –>>
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) 000000: 4D617279 20686164 2061206C 6974746C 65206C61 6D622C20 4C697474 6C65206C Mary had a little lamb, Little l
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) 000020: 616D622C 206C6974 746C6520 6C616D62 2C204D61 72792068 61642061 206C6974 amb, little lamb, Mary had a lit
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) 000040: 746C6520 6C616D62 2057686F 73652066 6C656563 65207761 73207768 69746520 tle lamb Whose fleece was white
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) 000060: 61732073 6E6F772E as snow.
2021/12/15 20:27:58.188 DEBUG (Test_Logger.<init>) <<—–

I have generated the JavaDocs for the SimpleLogger class and created a JAR file for SimpleLogger for users to use. I zipped up the JavaDocs, JAR file and the source code for both Test_SimpleLogger.java program and SimpleLogger.java. You can download the it from here.

Simply add the SimpleLogger JAR file to your application or add the SimpleLogger source code to your utility (or handler) package of your application and then start using it.

Regards,
Roger Lacroix
Capitalware Inc.

Verified by MonsterInsights