Informix

 View Only
  • 1.  Technote on Log4j vulnerability in Informix

    Posted Fri December 17, 2021 11:58 AM
    An official TechNote is now available on this issue. The full Security Bulletin will be published (with the same information) through the PSIRT channels shortly.

    Tech Note: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix workaround

    Basically it affects the latest  IHQ versions. Workaround is very simple to implement.

    Thank you to Informix Development for working on this.

    ------------------------------
    Carlton Doe
    ------------------------------


  • 2.  RE: Technote on Log4j vulnerability in Informix

    Posted Sun December 19, 2021 08:10 PM
    Thanks for the information!

    ------------------------------
    SangGyu Jeong
    Software Engineer
    Infrasoft
    Seoul Korea, Republic of
    ------------------------------



  • 3.  RE: Technote on Log4j vulnerability in Informix

    Posted Mon December 20, 2021 02:03 AM

    Hi!

    Be careful, because the solution (-Dlog4j2.formatMsgNoLookups=true) is out of date.

    Look at: https://logging.apache.org/log4j/2.x/: Without updating to log4j 2.17.0, it doesn´t help in all cases.



    ------------------------------
    Kind Regards
    Stefan
    ------------------------------



  • 4.  RE: Technote on Log4j vulnerability in Informix

    Posted Mon December 20, 2021 04:20 PM
    Development is looking at this and we'll publish an official response as soon as we can.

    Thanks

    ------------------------------
    Carlton Doe
    ------------------------------



  • 5.  RE: Technote on Log4j vulnerability in Informix

    Posted Mon December 20, 2021 08:08 PM

    Stefan:

    Why is -Dlog4j2.formatMsgNoLookups=true out of date?  This is a mitigation not a remediation.  Log4J2 version 2.17 didn't exist three days ago.

    -Dlog4j2.formatMsgNoLookups=true works to mitigate the issues until Developement can build a new release of software with Log4J 2.17.0. 



    ------------------------------
    Best regards,
    Martin Graney
    Queues Enforth Development, Inc.
    Woburn, MA 01801
    ------------------------------



  • 6.  RE: Technote on Log4j vulnerability in Informix

    Posted Tue December 21, 2021 02:44 AM
    Because there are now published exploits for which this property does not help

    ------------------------------
    Øyvind Gjerstad
    Developer/Architect
    PostNord AS
    ------------------------------