Hi,

We are currently using MQ version 8. From the bulletin links Does IBM MQ ship Apache Log4J? , I see that MQ 9 is affected, but its not mentioned that MQ 8 is not affected by the log4j vulnerability.
As per one of the articles, MQSeriesBCBridge rpm uses log4j. But I do not see the MQSeriesBCBridge rpm installed on the hosts. So as per my understanding MQ 8 wont be affected. Can you please confirm the same?

------------------------------
Ritu Chaurasia
------------------------------

Hello,

As stated in MQ Security bulletin, MQ Blockchain Bridge is the only log4j affected component for MQ which isn't available in MQ 8
https://www.ibm.com/support/pages/node/6526274

Thanks,

------------------------------
Navaneeth Sakthi
Senior Professional
DXC Technology, Spain
------------------------------

Original Message:
Sent: Fri December 24, 2021 09:50 AM
From: Ritu Chaurasia
Subject: Impact of log4j vulnerability on MQ8

Hi,

We are currently using MQ version 8. From the bulletin links Does IBM MQ ship Apache Log4J? , I see that MQ 9 is affected, but its not mentioned that MQ 8 is not affected by the log4j vulnerability.
As per one of the articles, MQSeriesBCBridge rpm uses log4j. But I do not see the MQSeriesBCBridge rpm installed on the hosts. So as per my understanding MQ 8 wont be affected. Can you please confirm the same?

------------------------------
Ritu Chaurasia
------------------------------

Hello Navaneeth,

Thanks for your response! Do I need to wait for any bulletin update or can I conclude that there is no impact on MQ8?

Regards,
Ritu Chaurasia

------------------------------
Ritu Chaurasia
------------------------------

Original Message:
Sent: Mon December 27, 2021 03:58 AM
From: Navaneeth Sakthi
Subject: Impact of log4j vulnerability on MQ8

Hello,

As stated in MQ Security bulletin, MQ Blockchain Bridge is the only log4j affected component for MQ which isn't available in MQ 8
https://www.ibm.com/support/pages/node/6526274

Thanks,

------------------------------
Navaneeth Sakthi
Senior Professional
DXC Technology, Spain

Original Message:
Sent: Fri December 24, 2021 09:50 AM
From: Ritu Chaurasia
Subject: Impact of log4j vulnerability on MQ8

Hi,

We are currently using MQ version 8. From the bulletin links Does IBM MQ ship Apache Log4J? , I see that MQ 9 is affected, but its not mentioned that MQ 8 is not affected by the log4j vulnerability.
As per one of the articles, MQSeriesBCBridge rpm uses log4j. But I do not see the MQSeriesBCBridge rpm installed on the hosts. So as per my understanding MQ 8 wont be affected. Can you please confirm the same?

------------------------------
Ritu Chaurasia
------------------------------

Hi Rita,

The Security Bulletin that @Navaneeth Sakthi pointed you to, https://www.ibm.com/support/pages/node/6526274, contains the following statements:-

So you know from that statement that the IBM MQ blockchain bridge component is not part of IBM MQ V8.

Bear in mind that IBM MQ V8 is now out of support, and that the above security bulletin is only for MQ V9.x.

If the statements made in the security bulletin are not conclusive enough for you, then you should probably contact IBM, assuming you have an extended support contract, and ask them for a more explicit statement.

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
------------------------------

Original Message:
Sent: Mon December 27, 2021 09:10 PM
From: Ritu Chaurasia
Subject: Impact of log4j vulnerability on MQ8

Hello Navaneeth,

Thanks for your response! Do I need to wait for any bulletin update or can I conclude that there is no impact on MQ8?

Regards,
Ritu Chaurasia

------------------------------
Ritu Chaurasia

Original Message:
Sent: Mon December 27, 2021 03:58 AM
From: Navaneeth Sakthi
Subject: Impact of log4j vulnerability on MQ8

Hello,

As stated in MQ Security bulletin, MQ Blockchain Bridge is the only log4j affected component for MQ which isn't available in MQ 8
https://www.ibm.com/support/pages/node/6526274

Thanks,

------------------------------
Navaneeth Sakthi
Senior Professional
DXC Technology, Spain

Original Message:
Sent: Fri December 24, 2021 09:50 AM
From: Ritu Chaurasia
Subject: Impact of log4j vulnerability on MQ8

Hi,

We are currently using MQ version 8. From the bulletin links Does IBM MQ ship Apache Log4J? , I see that MQ 9 is affected, but its not mentioned that MQ 8 is not affected by the log4j vulnerability.
As per one of the articles, MQSeriesBCBridge rpm uses log4j. But I do not see the MQSeriesBCBridge rpm installed on the hosts. So as per my understanding MQ 8 wont be affected. Can you please confirm the same?

------------------------------
Ritu Chaurasia
------------------------------