MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Log4j vulnerability

    Posted Wed December 15, 2021 03:06 PM
    I assume IBM is still accessing if there are any known issues with MQ server and client with log4j? From what I understand MQ does not use Java.

    I will check back and see if any updates come from IBM.

    Thanks.


  • 2.  RE: Log4j vulnerability

    Posted Thu December 16, 2021 04:13 AM
    Hiya,

    IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

    Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

    IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

    For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    I hope this helps, Best wishes.

    ------------------------------
    Rob Parker
    Security Focal, IBM MQ
    IBM UK Ltd
    ------------------------------

    Original Message