Global Data Management Forum

 View Only
  • 1.  DB2 Connect v11.5 and log4j vulnerability

    Posted Fri December 16, 2022 09:57 AM
    Hello,

    I have  DB2 Connect's Unlimited Edition for System Z v11.5.0 fixpack 7 installed on some Windows 2022 servers and my Security dept. reported this issue:


    Short description: Apache Log4j Unsupported Version Detection

    Priority: 2 - High

    Description: A logging library running on the remote host is no longer supported.
    Upgrade to a version of Apache Log4j that is currently supported.

    Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions.
    Path: C:\Program Files\IBM\SDPShared\plugins\com.ibm.nex.3rdparty.apache_2.2.0.v20100417_1714\lib\log4j-1.2.14.jar
    Installed version: 1.2.14

    Path: C:\Program Files\IBM\SDPShared\plugins\com.hp.hpl.jena.rdf_2.6.3.v20171117_2207\log4j-1.2.14.jar
    Installed version: 1.2.14



    The only IBM products installed are DB2 Connect related: 
    • IBM Data Server Client
    • IBM Data Server Driver Package

    Are there instructions as to how to replace the old log4j version with the fixed version?  I uninstalled the old DB2 Connect v11.1 and installed the v11.5 FP 7 version in hopes that it would have replaced log4j in the directories above.

    Any help would be greatly appreciated!  I doubt that following the instructions on https://logging.apache.org/log4j/2.x/manual/migration.html would work, would it?!?

    Thank you in advance!

    ------------------------------
    Zenon Piatek
    ------------------------------

    #DataManagementGlobal
    #DataServerDrivers


  • 2.  RE: DB2 Connect v11.5 and log4j vulnerability

    Posted Thu February 23, 2023 09:43 AM

    Hello Zenon, We are facing same issue as the one you have described. Could you please share what steps you took to remediate it?



    ------------------------------
    R Kashyap Principal Architect
    ------------------------------



  • 3.  RE: DB2 Connect v11.5 and log4j vulnerability

    Posted Fri February 24, 2023 03:57 AM

    At the time for the Log4j issue there was a special build released of V11.5.7. I don't know if the current V11.5.7 mod pack in Fix central is that special, but I would today recommend upgrading to V11.5.8. 

    However, SDPShared implies that this is an Eclipse product like Data Studio that you may have installed, if that's the case there should be a patch available for Data Studio also in Fix central to remedy the Log4j problem.



    ------------------------------
    Sven Heidorn
    ------------------------------



  • 4.  RE: DB2 Connect v11.5 and log4j vulnerability

    Posted Fri February 24, 2023 08:28 AM
    Edited by Jørn Thyssen Fri February 24, 2023 08:28 AM

    I believe the files in C:\Program Files\IBM\SDPShared are part of IBM Data Studio. You need to upgrade it to 4.1.4 APAR1 or later, see https://www.ibm.com/support/pages/node/612101



    ------------------------------
    Jørn Thyssen
    Principal Solutions Advisor
    Rocket Software
    ------------------------------