MQ

 View Only
Expand all | Collapse all

log4j cyberattack - IBM MQ

Jump to Best Answer
  • 1.  log4j cyberattack - IBM MQ

    Posted Mon December 13, 2021 01:53 PM
    Hi All,

    Does IBM MQ and its extension products like IPT has any impact or consideration on log4j vulnerability ??
    just seeking experts advise .. anything we need to consider or be aware of.

    Thanks

    ------------------------------
    Vignesh
    ------------------------------


  • 2.  RE: log4j cyberattack - IBM MQ

    Posted Tue December 14, 2021 04:00 AM
    Here is the official IBM statement on the log4j vulnerability:

    We are continuing to inventory IBM products and systems potentially impacted by the reported Apache Log4j vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim. While our inventory and remediation efforts are underway, we are evaluating existing controls that would prevent a successful attack, monitoring to quickly detect if anyone attempts to take advantage of this potential vulnerability and will isolate and take other actions as appropriate. 
    If an IBM product (MQ) is impacted, there will be a bulletin posted for that product as a fix is available. On-premise IBM products will have to be updated per recommendations within the IBM Product Security Incident Response blog at IBM PSIRT Blog (https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/)

    Additionally, you can subscribe to IBM product security bulletins to be notified when one is published here: https://www.ibm.com/support/mynotifications

    ------------------------------
    Rob Parker
    ------------------------------



  • 3.  RE: log4j cyberattack - IBM MQ

    Posted Tue December 14, 2021 07:58 AM
    As far as I can tell MQIPT doesn't use log4j - it uses the native Java logger? Can an IBM er confirm ?

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 4.  RE: log4j cyberattack - IBM MQ

    Posted Tue December 14, 2021 09:20 AM
    Edited by Rob Parker Tue December 14, 2021 09:26 AM
    Hi John,

    No Log4j libraries are shipped with Internet Pass-Thru (MQIPT). As to whether MQIPT, MQ or any of it's components are vulnerable or not to the Log4j vulnerability, I cannot say. Any indication of applicability will be done via the offical IBM process (i.e. a security bulletin) and i encourage you to ensure that you have subscribed to notifications via the https://www.ibm.com/support/mynotifications link so you are made aware if a bulletin is released.

    ------------------------------
    Rob Parker
    Security Focal, IBM MQ
    IBM UK Ltd
    ------------------------------



  • 5.  RE: log4j cyberattack - IBM MQ

    Posted Wed December 15, 2021 04:44 AM

    Hi Rob,

    I don't suppose you know what the correct link is now for https://www.ibm.com/support/mynotifications ? It no longer works, although it is still the URL sent on all notification emails!

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 6.  RE: log4j cyberattack - IBM MQ

    Posted Wed December 15, 2021 04:57 AM
    Hi Morag,

    That's annoying!
    I had a look, from the broken link if you make sure you're logged in then on the top bar go "Manage my support account" -> Notifications it should take you to this URL https://www.ibm.com/systems/support/myview/subscription/css.wss which you can use to add/remove subscriptions to products.

    Truth be told though i've not used that system before but i had a quick go and i was able to subscribe to Security bulletin notifications and see the latest security bulletin for IBM MQ which i would encourage those in this thread to go take a look at.
    In the background i'll ask if there's a different way that is supposed to be used but that may help for now.


    ------------------------------
    Rob Parker
    Security Focal, IBM MQ
    IBM UK Ltd
    ------------------------------



  • 7.  RE: log4j cyberattack - IBM MQ

    Posted Wed December 15, 2021 05:00 AM
    Yeah, I'm already subscribed. Got the notification about the IBM MQ Blockchain Bridge today. The notification email contains the same link! I was going to share it in our most recent post to nudge more people towards subscribing, but no point in sharing a broken link. Feels like there should be a landing page outside the sign-on.

    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 8.  RE: log4j cyberattack - IBM MQ

    Community Leadership
    Posted Wed December 15, 2021 10:32 AM
    Hi Morag,
    I reported this to the team and asked them to forward the link to a new public page (if there is one), and to update their email template with the correct link. 

    Hopefully the support team can fix this soon. Thanks for mentioning this! 


    ------------------------------
    Stephanie Wilkerson
    IBM
    ------------------------------



  • 9.  RE: log4j cyberattack - IBM MQ

    Posted Tue December 14, 2021 01:25 PM
    Hi Vignesh,

    Here's what I posted on the MQ ListServer.  As Rob said, the official answer will come from IBM shortly.

    I've been using Java and Log4J for a very long time. Here's my 2 cents.

    1. Log4J is only used by Java and Java/JMS applications and not C/C++/C#/COBOL/Python etc. applications

    2. The vulnerability (CVE-2021-44228) only applies to Log4J v2.x and not to Log4J v1.x
    https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

    3. The base MQ server component is not affected because it is not written in Java.

    4. The Java MQ Client library does not include Log4J v2.x (to my knowledge)

    5. There are 4 components of MQ that are written in Java: MQ Explorer, MFT, MQXR and AMQP. These are the components of MQ that IBM needs to make clear whether or not Log4J v2.x is being used or not.

    Like I said, that's my 2 cents for what it is worth. The real answers need to come from IBM.

    later
    Roger

    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON Canada
    https://capitalware.com
    ------------------------------



  • 10.  RE: log4j cyberattack - IBM MQ

    Posted Tue December 14, 2021 02:35 PM
    Thank you all for your valuable inputs!

    ------------------------------
    Vignesh
    ------------------------------



  • 11.  RE: log4j cyberattack - IBM MQ

    Community Leadership
    Posted Tue December 14, 2021 02:57 PM
    Hi all, 
    We will also post when we have more  and there are notifications coming out on the mentioned channels. 

    There is also a great webinar from the security team this week covering: 
    • Get the latest information about this flaw from our X-Force team
    • Learn how to check for vulnerable versions of Apache Log4j in your environment
    • Understand how to reduce the risk of an attack against your organization
    It won't be product-specific, but you can register here:  https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1

    Thanks!

    ------------------------------
    Stephanie Wilkerson
    IBM
    ------------------------------



  • 12.  RE: log4j cyberattack - IBM MQ

    IBM Select
    Posted Wed December 15, 2021 09:13 AM
    Edited by Peter Potkay Wed December 15, 2021 09:13 AM
    To see all IBM Security Bulletins for this specific CVE
    https://www.ibm.com/blogs/psirt/?s=2021-44228


    To see all IBM Security Bulletins for MQ regardless of CVE
    https://www.ibm.com/blogs/psirt/?s=MQ

    ------------------------------
    Peter Potkay
    ------------------------------



  • 13.  RE: log4j cyberattack - IBM MQ
    Best Answer

    Posted Thu December 16, 2021 04:14 AM
    Hi All,

    IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

    Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

    IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

    For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

    Best wishes,

    ------------------------------
    Rob Parker
    Security Focal, IBM MQ
    IBM UK Ltd
    ------------------------------



  • 14.  RE: log4j cyberattack - IBM MQ

    IBM Select
    Posted Thu December 16, 2021 01:35 PM
    Edited by Peter Potkay Thu December 16, 2021 01:58 PM

    This link only list the MQ Appliance and MQ on IBM Cloud under Products not Impacted.
    https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

    Is that because the MQ Appliance and MQ on IBM Cloud do not have that blockchain component under any circumstance so they are the only MQ ones that can be on the list of Products not Impacted? 

    Why are more MQ products not listed on the "Products not Impacted" page? The potential of a customer installing the IBM MQ Blockchain bridge?

    Edit: I don't expect a direct answer here. I understand why. My hope is that IBMers reading this can behind the scenes get some official clarifications added to the official Bulletins.



    ------------------------------
    Peter Potkay
    ------------------------------



  • 15.  RE: log4j cyberattack - IBM MQ

    Posted Fri December 17, 2021 05:37 AM
    Hi Peter,

    I'll try to answer as best as i can but i am limited on what i can and cannot say. This bulletin tries to detail where we ship Log4j in a hope to explain which components are & aren't affected. We've published a bulletin covering a MQ component that is affected. Both of these bulletins were written by members of the MQ department and approved for publish by IBM PSIRT.

    The link you pointed at above is maintained by IBM PSIRT and updated by them based off how we internally report our products to them. For this there are 5 products: IBM MQ (Distributed), IBM MQ on Z, IBM MQ Appliance, IBM MQ on Cloud & IBM MQ on HP-NS. Because a bulletin was released for the IBM MQ (Distributed) product it cannot be included in the not affected list but is included in Remediated Products list near the bottom of the page.
    There has now been an update to the lists and i can see the other MQ products listed above have been added to a list (i don't want to say which one here in case something changes in the future and they switch lists, but please take a look at the post to check.)

    Was the 5 products i mentioned above all of the ones you were expecting to see or were there any other ones that you feel are missing which i can chase up or explain where they fit in?

    Best wishes,


    ------------------------------
    Rob Parker
    Security Focal, IBM MQ
    IBM UK Ltd
    ------------------------------