Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker
------------------------------

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

As far as I can tell MQIPT doesn't use log4j - it uses the native Java logger? Can an IBM er confirm ?

------------------------------
John Hawkins
Integration Consultant
------------------------------

Original Message:
Sent: Tue December 14, 2021 04:00 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi John,

No Log4j libraries are shipped with Internet Pass-Thru (MQIPT). As to whether MQIPT, MQ or any of it's components are vulnerable or not to the Log4j vulnerability, I cannot say. Any indication of applicability will be done via the offical IBM process (i.e. a security bulletin) and i encourage you to ensure that you have subscribed to notifications via the https://www.ibm.com/support/mynotifications link so you are made aware if a bulletin is released.

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd
------------------------------

Original Message:
Sent: Tue December 14, 2021 07:58 AM
From: John Hawkins
Subject: log4j cyberattack - IBM MQ

As far as I can tell MQIPT doesn't use log4j - it uses the native Java logger? Can an IBM er confirm ?

------------------------------
John Hawkins
Integration Consultant

Original Message:
Sent: Tue December 14, 2021 04:00 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi Rob,

I don't suppose you know what the correct link is now for https://www.ibm.com/support/mynotifications ? It no longer works, although it is still the URL sent on all notification emails!

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
------------------------------

Original Message:
Sent: Tue December 14, 2021 04:00 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi Morag,

That's annoying!
I had a look, from the broken link if you make sure you're logged in then on the top bar go "Manage my support account" -> Notifications it should take you to this URL https://www.ibm.com/systems/support/myview/subscription/css.wss which you can use to add/remove subscriptions to products.

Truth be told though i've not used that system before but i had a quick go and i was able to subscribe to Security bulletin notifications and see the latest security bulletin for IBM MQ which i would encourage those in this thread to go take a look at.
In the background i'll ask if there's a different way that is supposed to be used but that may help for now.
​

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd
------------------------------

Original Message:
Sent: Wed December 15, 2021 04:43 AM
From: Morag Hughson
Subject: log4j cyberattack - IBM MQ

Hi Rob,

I don't suppose you know what the correct link is now for https://www.ibm.com/support/mynotifications ? It no longer works, although it is still the URL sent on all notification emails!

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue December 14, 2021 04:00 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Yeah, I'm already subscribed. Got the notification about the IBM MQ Blockchain Bridge today. The notification email contains the same link! I was going to share it in our most recent post to nudge more people towards subscribing, but no point in sharing a broken link. Feels like there should be a landing page outside the sign-on.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
------------------------------

Original Message:
Sent: Wed December 15, 2021 04:56 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Hi Morag,

That's annoying!
I had a look, from the broken link if you make sure you're logged in then on the top bar go "Manage my support account" -> Notifications it should take you to this URL https://www.ibm.com/systems/support/myview/subscription/css.wss which you can use to add/remove subscriptions to products.

Truth be told though i've not used that system before but i had a quick go and i was able to subscribe to Security bulletin notifications and see the latest security bulletin for IBM MQ which i would encourage those in this thread to go take a look at.
In the background i'll ask if there's a different way that is supposed to be used but that may help for now.
​

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd

Original Message:
Sent: Wed December 15, 2021 04:43 AM
From: Morag Hughson
Subject: log4j cyberattack - IBM MQ

Hi Rob,

I don't suppose you know what the correct link is now for https://www.ibm.com/support/mynotifications ? It no longer works, although it is still the URL sent on all notification emails!

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue December 14, 2021 04:00 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi Morag,
I reported this to the team and asked them to forward the link to a new public page (if there is one), and to update their email template with the correct link. 

Hopefully the support team can fix this soon. Thanks for mentioning this! 


------------------------------
Stephanie Wilkerson
IBM
------------------------------

Original Message:
Sent: Wed December 15, 2021 05:00 AM
From: Morag Hughson
Subject: log4j cyberattack - IBM MQ

Yeah, I'm already subscribed. Got the notification about the IBM MQ Blockchain Bridge today. The notification email contains the same link! I was going to share it in our most recent post to nudge more people towards subscribing, but no point in sharing a broken link. Feels like there should be a landing page outside the sign-on.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Wed December 15, 2021 04:56 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Hi Morag,

That's annoying!
I had a look, from the broken link if you make sure you're logged in then on the top bar go "Manage my support account" -> Notifications it should take you to this URL https://www.ibm.com/systems/support/myview/subscription/css.wss which you can use to add/remove subscriptions to products.

Truth be told though i've not used that system before but i had a quick go and i was able to subscribe to Security bulletin notifications and see the latest security bulletin for IBM MQ which i would encourage those in this thread to go take a look at.
In the background i'll ask if there's a different way that is supposed to be used but that may help for now.
​

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd

Original Message:
Sent: Wed December 15, 2021 04:43 AM
From: Morag Hughson
Subject: log4j cyberattack - IBM MQ

Hi Rob,

I don't suppose you know what the correct link is now for https://www.ibm.com/support/mynotifications ? It no longer works, although it is still the URL sent on all notification emails!

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue December 14, 2021 04:00 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Here is the official IBM statement on the log4j vulnerability:

We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

------------------------------
Rob Parker

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi Vignesh,

Here's what I posted on the MQ ListServer.  As Rob said, the official answer will come from IBM shortly.

I've been using Java and Log4J for a very long time. Here's my 2 cents.

1. Log4J is only used by Java and Java/JMS applications and not C/C++/C#/COBOL/Python etc. applications

2. The vulnerability (CVE-2021-44228) only applies to Log4J v2.x and not to Log4J v1.x
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

3. The base MQ server component is not affected because it is not written in Java.

4. The Java MQ Client library does not include Log4J v2.x (to my knowledge)

5. There are 4 components of MQ that are written in Java: MQ Explorer, MFT, MQXR and AMQP. These are the components of MQ that IBM needs to make clear whether or not Log4J v2.x is being used or not.

Like I said, that's my 2 cents for what it is worth. The real answers need to come from IBM.

later
Roger

------------------------------
Roger Lacroix
CTO
Capitalware Inc.
London ON Canada
https://capitalware.com
------------------------------

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Thank you all for your valuable inputs!

------------------------------
Vignesh
------------------------------

Original Message:
Sent: Tue December 14, 2021 01:25 PM
From: Roger Lacroix
Subject: log4j cyberattack - IBM MQ

Hi Vignesh,

Here's what I posted on the MQ ListServer.  As Rob said, the official answer will come from IBM shortly.

I've been using Java and Log4J for a very long time. Here's my 2 cents.

1. Log4J is only used by Java and Java/JMS applications and not C/C++/C#/COBOL/Python etc. applications

2. The vulnerability (CVE-2021-44228) only applies to Log4J v2.x and not to Log4J v1.x
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

3. The base MQ server component is not affected because it is not written in Java.

4. The Java MQ Client library does not include Log4J v2.x (to my knowledge)

5. There are 4 components of MQ that are written in Java: MQ Explorer, MFT, MQXR and AMQP. These are the components of MQ that IBM needs to make clear whether or not Log4J v2.x is being used or not.

Like I said, that's my 2 cents for what it is worth. The real answers need to come from IBM.

later
Roger

------------------------------
Roger Lacroix
CTO
Capitalware Inc.
London ON Canada
https://capitalware.com

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi all, 
We will also post when we have more  and there are notifications coming out on the mentioned channels. 

There is also a great webinar from the security team this week covering: 

• Get the latest information about this flaw from our X-Force team
• Learn how to check for vulnerable versions of Apache Log4j in your environment
• Understand how to reduce the risk of an attack against your organization

It won't be product-specific, but you can register here:  https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1

Thanks!

------------------------------
Stephanie Wilkerson
IBM
------------------------------

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

To see all IBM Security Bulletins for this specific CVE
https://www.ibm.com/blogs/psirt/?s=2021-44228


To see all IBM Security Bulletins for MQ regardless of CVE
https://www.ibm.com/blogs/psirt/?s=MQ

------------------------------
Peter Potkay
------------------------------

Original Message:
Sent: Tue December 14, 2021 02:57 PM
From: Stephanie Wilkerson
Subject: log4j cyberattack - IBM MQ

Hi all, 
We will also post when we have more  and there are notifications coming out on the mentioned channels. 

There is also a great webinar from the security team this week covering: 

• Get the latest information about this flaw from our X-Force team
• Learn how to check for vulnerable versions of Apache Log4j in your environment
• Understand how to reduce the risk of an attack against your organization

It won't be product-specific, but you can register here:  https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1

Thanks!

------------------------------
Stephanie Wilkerson
IBM

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi All,

IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Best wishes,

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd
------------------------------

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

This link only list the MQ Appliance and MQ on IBM Cloud under Products not Impacted.
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

Is that because the MQ Appliance and MQ on IBM Cloud do not have that blockchain component under any circumstance so they are the only MQ ones that can be on the list of Products not Impacted? 

Why are more MQ products not listed on the "Products not Impacted" page? The potential of a customer installing the IBM MQ Blockchain bridge?

Edit: I don't expect a direct answer here. I understand why. My hope is that IBMers reading this can behind the scenes get some official clarifications added to the official Bulletins.

------------------------------
Peter Potkay
------------------------------

Original Message:
Sent: Thu December 16, 2021 04:14 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Hi All,

IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Best wishes,

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------

Hi Peter,

I'll try to answer as best as i can but i am limited on what i can and cannot say. This bulletin tries to detail where we ship Log4j in a hope to explain which components are & aren't affected. We've published a bulletin covering a MQ component that is affected. Both of these bulletins were written by members of the MQ department and approved for publish by IBM PSIRT.

The link you pointed at above is maintained by IBM PSIRT and updated by them based off how we internally report our products to them. For this there are 5 products: IBM MQ (Distributed), IBM MQ on Z, IBM MQ Appliance, IBM MQ on Cloud & IBM MQ on HP-NS. Because a bulletin was released for the IBM MQ (Distributed) product it cannot be included in the not affected list but is included in Remediated Products list near the bottom of the page.
There has now been an update to the lists and i can see the other MQ products listed above have been added to a list (i don't want to say which one here in case something changes in the future and they switch lists, but please take a look at the post to check.)

Was the 5 products i mentioned above all of the ones you were expecting to see or were there any other ones that you feel are missing which i can chase up or explain where they fit in?

Best wishes,


------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd
------------------------------

Original Message:
Sent: Thu December 16, 2021 01:34 PM
From: Peter Potkay
Subject: log4j cyberattack - IBM MQ

This link only list the MQ Appliance and MQ on IBM Cloud under Products not Impacted.
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

Is that because the MQ Appliance and MQ on IBM Cloud do not have that blockchain component under any circumstance so they are the only MQ ones that can be on the list of Products not Impacted? 

Why are more MQ products not listed on the "Products not Impacted" page? The potential of a customer installing the IBM MQ Blockchain bridge?

Edit: I don't expect a direct answer here. I understand why. My hope is that IBMers reading this can behind the scenes get some official clarifications added to the official Bulletins.

------------------------------
Peter Potkay

Original Message:
Sent: Thu December 16, 2021 04:14 AM
From: Rob Parker
Subject: log4j cyberattack - IBM MQ

Hi All,

IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Best wishes,

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd

Original Message:
Sent: Mon December 13, 2021 01:53 PM
From: Vignesh
Subject: log4j cyberattack - IBM MQ

Hi All,

Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
just seeking experts advise .. anything we need to consider or be aware of.

Thanks

------------------------------
Vignesh
------------------------------