Informix

 View Only
Expand all | Collapse all

Questions about the CVE-2021-44228 vulnerability

  • 1.  Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 12:40 AM
    Hello All,
    I have a question about a vulnerability related to Log4j.

    The document below is an update on the vulnerabilities of Log4j-related classes.
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    The files informixhq-agent.jar and informixhq-server.jar contain the Log4j class.
    How can I check if this class is the version where the vulnerability exists?


    Thanks,
    SangGyu Jeong

    ------------------------------
    SangGyu Jeong
    Software Engineer
    Infrasoft
    Seoul Korea, Republic of
    ------------------------------

    #Informix


  • 2.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 04:38 AM

    I would say, I would not use informixhq with the latest Informix Server versions..

    Cheers,

    Markus



    ------------------------------
    Markus Holzbauer
    ------------------------------



  • 3.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 05:25 AM

    You can verify if your Version is affected with:

    $ cd $INFORMIXDIR/hq

    $ unzip -l informixhq-agent.jar|grep log4j/core/lookup/JndiLookup.class >/dev/null 2>&1 && echo "fix needed"

    Cheers,

    Markus



    ------------------------------
    Markus Holzbauer
    ------------------------------



  • 4.  RE: Questions about the CVE-2021-44228 vulnerability

    IBM Champion
    Posted Mon December 13, 2021 07:21 AM
    The recommendation I got from IBM via a PMR was not to use HQ until the dev team have investigated further

    Cheers
    Paul

    Paul Watson
    Oninit LLC
    +1-913-387-7529
    www.oninit.com
    Oninit®️ is a registered trademark of Oninit LLC





  • 5.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 07:42 AM
    Thanks for the information, Paul.

    ------------------------------
    SangGyu Jeong
    Software Engineer
    Infrasoft
    Seoul Korea, Republic of
    ------------------------------



  • 6.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 09:01 AM
    I have notified development about this.
     
    Scott Pickett
    IBM Informix WW Technical Sales IBM Expert Labs
    IBM Informix WW Cloud Technical Sales IBM Expert Labs
    IBM Informix WW Cloud Technical Sales ICIAE IBM Expert Labs
    IBM Informix WW Informix Warehouse Accelerator Sales IBM Expert Labs
    Boston, Massachusetts USA
    spickett@us.ibm.com
    617-899-7549
    33 Years Informix User
     
    The current Informix Roadshow presentations are here:
     
     
     





  • 7.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 03:09 PM

    What about OAT – can we still use that?  We are still on 11.70 here (with extended support).

     

    -- 

    Thanks,

    Kate Tomchik She/Her/Hers

    Principal Systems Engineer, Database Solutions

    The Home Depot 

    Cell: 678-427-4914 (Text preferred)

    Strange, isn't it? Each man's life touches so many other lives.

    When he isn't around, he leaves an awful hole, doesn't he? – It's a Wonderful Life

     

    For non-urgent requests create a TICKET:

    https://servicecatalog.apps.homedepot.com/home/catalog/Databases/databasesupport

    Choose experience: IT-08034-Database Solutions Operations

     


    INTERNAL USE






  • 8.  RE: Questions about the CVE-2021-44228 vulnerability

    IBM Champion
    Posted Tue December 14, 2021 06:47 AM
    OAT, afair, was PHP based, so no Java anyway.
    Anyone able to confirm?

    ------------------------------
    Andreas Legner
    ------------------------------



  • 9.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Tue December 14, 2021 09:42 AM
    OAT did not contain any Java so it is unaffected.

    ------------------------------
    Brian Hughes
    ------------------------------



  • 10.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Tue December 14, 2021 10:49 AM
    Problem with OAT is that it is Flash based, and unless you install an older version of your browser, it wont be useful (or it would be partially useful). 
    Ramon

    ------------------------------
    Ramon Rey
    ------------------------------



  • 11.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 06:45 PM
    I did the equivalent of what Markus suggested over the weekend on 14.10.FC6 and proved its HQ does contain the vulnerable log4j version 2. All IDS versions before that used logback in HQ which is unaffected.

    ------------------------------
    Doug Lawry
    Oninit Consulting
    ------------------------------



  • 12.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 06:59 PM
    There will be a statement forthcoming in the next days as to what we will be doing here. The lab has spent the last 3.5 days on this identifying possible vulnerabilities and a fix will be forthcoming. Stay tuned.
     
    Scott Pickett
    IBM Informix WW Technical Sales IBM Expert Labs
    IBM Informix WW Cloud Technical Sales IBM Expert Labs
    IBM Informix WW Cloud Technical Sales ICIAE IBM Expert Labs
    IBM Informix WW Informix Warehouse Accelerator Sales IBM Expert Labs
    Boston, Massachusetts USA
    spickett@us.ibm.com
    617-899-7549
    33 Years Informix User
     
    The current Informix Roadshow presentations are here:
     







  • 13.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Tue December 14, 2021 09:31 AM
    Hi.

    I guess it should be OK to run HQ if the server is behind a firewall and thus exposed to the Internet?

    Regards,
    -Snorri

    ------------------------------
    Snorri Bergmann
    ------------------------------



  • 14.  RE: Questions about the CVE-2021-44228 vulnerability

    IBM Champion
    Posted Tue December 14, 2021 11:40 AM

    Depends on your internal security rules, I know of two companies that have turned off HQ on systems that are not exposed to the internet.

     

    I suspect if a company is breached by ANOther method and then use this vulnerability to gain further access then heads would roll

     

    Cheers

    Paul

     






  • 15.  RE: Questions about the CVE-2021-44228 vulnerability

    IBM Champion
    Posted Tue December 14, 2021 12:35 PM

    Shouldn't we be more worried about the JDBC driver rather than HQ ?

     

    Cheers

    Paul

     






  • 16.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Wed December 15, 2021 05:03 AM
    I can recommend https://github.com/mergebase/log4j-detector

    We scanned jdbc

    PS C:\SVN> java -jar .\log4j-detector-2021.12.12.jar .\jdbc-4.50.4.1.jar
    -- Analyzing paths (could take a long time).
    -- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
    -- No Log4J 2.x samples found in supplied paths: [.\jdbc-4.50.4.1.jar]
    -- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)
    PS C:\SVN> java -jar .\log4j-detector-2021.12.12.jar .\DriverInformix.jar
    -- Analyzing paths (could take a long time).
    -- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
    -- No Log4J 2.x samples found in supplied paths: [.\DriverInformix.jar]
    -- Congratulations, the supplied paths are not vulnerable to CVE-2021-44228 ! :-)

    ------------------------------
    Marc Demhartner
    ------------------------------