Blog

Posted on

A note on the global “log4j” security vulnerability

A note on the global “log4j” security vulnerability
rswanson
Wed, 12/15/2021 – 17:30

Posted on December 15, 2021

This week brought news of an exploitable hack to which certain applications executing Java may be vulnerable. Specifically, any applications using the popular Apache log4j logging tool may, under certain circumstances, be exposed to hackers executing nefarious code on their servers. This includes applications running on IBM i.

While Valence does include a version of log4j for logging JDBC connection info when accessing remote databases through Nitro App Builder or the vvOut_execSQLtoJSON RPG Toolkit procedure, the log4j version Valence uses, 1.2.17, predates the exploitable functionality introduced in log4j version 2.0. Additionally, in Valence Java is used only as a backend-callable utility, which for remoteDB support runs inside a standalone non-CGI batch job called VBCH**** or VRMT****, and is not directly callable in any way from the UI. So there should be nothing to be concerned with insofar as Valence goes.

That said, out of an abundance of caution, the latest Valence 6 build (6.0.20211209.1) includes an update to the remoteDB logic that drops the use of the log4j utility entirely, using an alternative method to log JDBC activity into a log file. So once you download and install this build onto your system, you will have eliminated Valence’s use of any log4j routines altogether.

However you may still have other third party applications or custom programs using Java on your system that need to be addressed. As a quick stopgap measure, you can apply a system-level environment variable to disable JNDI lookups in more recent versions of log4j:

ADDENVVAR ENVVAR(LOG4J_FORMAT_MSG_NO_LOOKUPS) VALUE(‘true’) REPLACE(*YES) LEVEL(*SYS)

Even with this environment variable in place, it would be advisable to reach out to any third party application providers that may be using log4j on your system to see if they have a patch, which may include updating to log4j version 2.15.

For further information, IBM’s open source guru Jesse Gorzinski has published an article at Tech Channel with an IBM i-centric overview of the log4j problem, which includes a link to a piece by database guru Scott Forstie showing how to use SQL to locate any reference to “log4j” in your IFS. The folks at iTech Solutions Group have also provided simple instructions for manually scanning the IFS to find potentially vulnerable versions of log4j.

Posted on

You searched for 2021-44228 – Page 2 of 5

Search Results for “2021-44228”

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228)

Dec 15, 2021 7:04 pm EST | Critical Severity

Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the log4j library. Updating log4j to a version 2.15.0 or higher also addresses CVE-2021-4104. …read more

Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2021-44228)

Dec 15, 2021 7:04 pm EST | Critical Severity

Log4j is used by IBM Watson Explorer to log system events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading Watson Explorer and thus addressing the exposure to the log4j vulnerability. …read more

Security Bulletin: Vulnerability in Apache Log4j addressed in IBM Spectrum Symphony

Dec 15, 2021 7:03 pm EST | Critical Severity

Log4j is used by IBM Spectrum Symphony for generating logs in some of its components. This bulletin provides mitigations for the Log4Shell vulnerability (CVE-2021-44228) by applying the applicable workaround to IBM Spectrum Symphony. …read more

Security Bulletin: IBM Planning Analytics 2.0: Apache log4j Vulnerability (CVE-2021-44228)

Dec 15, 2021 7:03 pm EST | Critical Severity

Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability. …read more

Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC

Dec 15, 2021 7:02 pm EST | Critical Severity

Log4j is used by IBM Power Hardware Management Console (HMC) for logging system/application events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading IBM Power Hardware Management Console (HMC) respective PTF and thus addressing the exposure to the log4j vulnerability. …read more

Security Bulletin: IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 may be affected by the log4j vulnerability (CVE-2021-44228)

Dec 15, 2021 7:01 pm EST | Critical Severity

The IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 product ships the One-time Password component which embeds a vulnerable version of the log4j library. This has been fixed in the latest supported versions of the product. Customers should move up to the latest supported versions. …read more

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

Dec 15, 2021 7:00 pm EST | Critical Severity

IBM Cognos Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability. …read more

Security Bulletin: i2 Analyze, i2 Connect and Analyst’s Notebook Premium are affected by the Log4j vulnerability (CVE-2021-44228)

Dec 15, 2021 7:00 pm EST | Critical Severity

Log4j is used by i2 Analyze and i2 Connect for general purpose and application error logging. It is also used in Analyst’s Notebook Premium when the chart store is deployed. This bulletin provides mitigation for the reported CVE-2021-44228 by providing configuration that addresses Log4j being vulnerable. …read more

Security Bulletin: IBM Cognos Controller 10.4.2 IF15: Apache log4j Vulnerability (CVE-2021-44228)

Dec 15, 2021 5:35 pm EST | Critical Severity

IBM Cognos Controller is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability. …read more

Previous12345Next

Posted on

Read the Forrester study to learn more about the potential ROI of @IBM i for businesses when deploying the #IBM i #operatingsystem on #IBMPower Systems in hardware or in the cloud >>> #IBMi #datastorage #hybridcloud #cloudtechnology

Read the Forrester study to learn more about the potential ROI of @IBM i for businesses when deploying the #IBM i #operatingsystem on #IBMPower Systems in hardware or in the cloud >>> bit.ly/3HpUTmT

#IBMi #datastorage #hybridcloud #cloudtechnology pic.twitter.com/wQawAdiGUU

– Mid-Range (@MidRange1)12:18 – Dec 15, 2021

Posted on

Progressive Web Apps: Create a Universal Experience Across All Devices

Welcome the progressive web application—a way to create a universal experience across mobile and desktop alike and to view and utilize the web in a completely new way while increasing your marketability.
However, what you should know is that many of the standards that make progressive web applications possible are not new, but with the emergence of key technologies such as the service worker, PWAs are more poised than ever to create scalable, reliable, and flexible experiences within the browser.

Verified by MonsterInsights