Global Data Management Forum

 View Only
  • 1.  DB2 Connect v11.5 and log4j vulnerability

    Posted Fri December 16, 2022 09:57 AM

    I have  DB2 Connect's Unlimited Edition for System Z v11.5.0 fixpack 7 installed on some Windows 2022 servers and my Security dept. reported this issue:

    Short description: Apache Log4j Unsupported Version Detection

    Priority: 2 - High

    Description: A logging library running on the remote host is no longer supported.
    Upgrade to a version of Apache Log4j that is currently supported.

    Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to for the latest versions.
    Path: C:\Program Files\IBM\SDPShared\plugins\\lib\log4j-1.2.14.jar
    Installed version: 1.2.14

    Path: C:\Program Files\IBM\SDPShared\plugins\com.hp.hpl.jena.rdf_2.6.3.v20171117_2207\log4j-1.2.14.jar
    Installed version: 1.2.14

    The only IBM products installed are DB2 Connect related: 
    • IBM Data Server Client
    • IBM Data Server Driver Package

    Are there instructions as to how to replace the old log4j version with the fixed version?  I uninstalled the old DB2 Connect v11.1 and installed the v11.5 FP 7 version in hopes that it would have replaced log4j in the directories above.

    Any help would be greatly appreciated!  I doubt that following the instructions on would work, would it?!?

    Thank you in advance!

    Zenon Piatek


  • 2.  RE: DB2 Connect v11.5 and log4j vulnerability

    Posted Thu February 23, 2023 09:43 AM

    Hello Zenon, We are facing same issue as the one you have described. Could you please share what steps you took to remediate it?

    R Kashyap Principal Architect

  • 3.  RE: DB2 Connect v11.5 and log4j vulnerability

    IBM Champion
    Posted Fri February 24, 2023 03:57 AM

    At the time for the Log4j issue there was a special build released of V11.5.7. I don't know if the current V11.5.7 mod pack in Fix central is that special, but I would today recommend upgrading to V11.5.8. 

    However, SDPShared implies that this is an Eclipse product like Data Studio that you may have installed, if that's the case there should be a patch available for Data Studio also in Fix central to remedy the Log4j problem.

    Sven Heidorn

  • 4.  RE: DB2 Connect v11.5 and log4j vulnerability

    IBM Champion
    Posted Fri February 24, 2023 08:28 AM
    Edited by Jørn Thyssen Fri February 24, 2023 08:28 AM

    I believe the files in C:\Program Files\IBM\SDPShared are part of IBM Data Studio. You need to upgrade it to 4.1.4 APAR1 or later, see

    Jørn Thyssen
    Principal Solutions Advisor
    Rocket Software