Informix

 View Only
Expand all | Collapse all

Questions about the CVE-2021-44228 vulnerability

  • 1.  Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 12:40 AM
    Hello All,
    I have a question about a vulnerability related to Log4j.

    The document below is an update on the vulnerabilities of Log4j-related classes.
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    The files informixhq-agent.jar and informixhq-server.jar contain the Log4j class.
    How can I check if this class is the version where the vulnerability exists?


    Thanks,
    SangGyu Jeong

    ------------------------------
    SangGyu Jeong
    Software Engineer
    Infrasoft
    Seoul Korea, Republic of
    ------------------------------


  • 2.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 04:38 AM

    I would say, I would not use informixhq with the latest Informix Server versions..

    Cheers,

    Markus



    ------------------------------
    Markus Holzbauer
    ------------------------------



  • 3.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 05:25 AM

    You can verify if your Version is affected with:

    $ cd $INFORMIXDIR/hq

    $ unzip -l informixhq-agent.jar|grep log4j/core/lookup/JndiLookup.class >/dev/null 2>&1 && echo "fix needed"

    Cheers,

    Markus



    ------------------------------
    Markus Holzbauer
    ------------------------------



  • 4.  RE: Questions about the CVE-2021-44228 vulnerability

    Posted Mon December 13, 2021 07:21 AM
    The recommendation I got from IBM via a PMR was not to use HQ until the dev team have investigated further

    Cheers
    Paul

    Paul Watson
    Oninit LLC
    +1-913-387-7529
    www.oninit.com
    Oninit®️ is a registered trademark of Oninit LLC