IBM Data Management Community Connect with Db2, Informix, Netezza, open source, and other data experts to gain value from your data, share insights, and solve problems. Join / Log in
The Apache Security team has released a security advisory for CVE-2021-44228 which affectsApache Log4j2. A malicious user could exploit this vulnerability to run arbitrary code as the useror service account running the affected software. Big SQL version affected: 5.0.4, 6.0.0, 7.1.0.Resolution:The fix for this vulnerability consists of a tar file containing a standalone script and updated jar files. The script must be run on all nodes in the cluster and can be obtained by creating a support ticket with IBM.NOTE: if you add a node to the Big SQL instance, you will need to run this script on the new node as well.The syntax to run the script is as follows, as root:./patch-log4j.sh <version> <big sql user>or with sudo:sudo ./patch-log4j.sh <version> <big sql user>where version is one of: 5.0.x.0 (where x is the specific version number, 1 through 4), 6.0.0.0, or 7.1.0.0For example:1. Copy the tar file to each node in the Big SQL cluster: scp ibm-bigsql-apache-log4j-2.16.0-patch.tar.gz <node>:/tmp2. Unpack the tar file:tar -xzf ibm-bigsql-apache-log4j-2.16.0-patch.tar.gz3. Change to the newly created directory:cd log4j4. Make a backup of the original jar files (optional):find /usr/ibmpacks -name *log4j*.jar -exec tar -uvf bak.tar {} \;5. Run the script:./patch-log4j.sh 5.0.4.0 bigsql 6. Restart Big SQLThe script assumes the primary group of the bigsql user is the "hadoop" group. If it is different, then run the following command after the script completes:chown <bigsql_user>:<primary_group> /usr/ibmpacks/current/bigsql/bigsql/hive-client/lib/log4j*.jarReplace <bigsql_user> and <primary_group> with the appropriate values for your cluster.APAR link https://www.ibm.com/support/pages/apar/PH42765
By
Sangeeta Badiger
posted