Are there any known patches or vulnerabilities relative to this latest security finding on Log4j? I am seeing if MQ will be affected running on Windows or Linux?

I guess it relatively early in the game but just checking??

Thanks.

I have my answer and have seen some posts regarding this, awaiting on IBM for notifications.

Hi Skid,
Great to see that you found posts about this, but for others, watch this blog for details. The community team will also be monitoring to post in specific topic groups: https://www.ibm.com/blogs/psirt/

Here is the overall blog from IBM: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

There is also a great webinar from the security team this week covering: 

• Get the latest information about this flaw from our X-Force team
• Learn how to check for vulnerable versions of Apache Log4j in your environment
• Understand how to reduce the risk of an attack against your organization

It won't be product-specific, but you can register here:  https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1

------------------------------
Stephanie Wilkerson
IBM
------------------------------

Original Message:
Sent: Tue December 14, 2021 01:36 PM
From: Skid Minix
Subject: Log4j vulnerability

Are there any known patches or vulnerabilities relative to this latest security finding on Log4j? I am seeing if MQ will be affected running on Windows or Linux?

I guess it relatively early in the game but just checking??

Thanks.

------------------------------
Skid Minix
------------------------------

Thanks, I already signed up for this WebEx. I appreciate the update!

Hiya,

IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Best wishes,

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd
------------------------------

Original Message:
Sent: Tue December 14, 2021 03:02 PM
From: Skid Minix
Subject: Log4j vulnerability

Thanks, I already signed up for this WebEx. I appreciate the update!

------------------------------
Skid Minix

Original Message:
Sent: Tue December 14, 2021 02:55 PM
From: Stephanie Wilkerson
Subject: Log4j vulnerability

Hi Skid,
Great to see that you found posts about this, but for others, watch this blog for details. The community team will also be monitoring to post in specific topic groups: https://www.ibm.com/blogs/psirt/

Here is the overall blog from IBM: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

There is also a great webinar from the security team this week covering: 

• Get the latest information about this flaw from our X-Force team
• Learn how to check for vulnerable versions of Apache Log4j in your environment
• Understand how to reduce the risk of an attack against your organization

It won't be product-specific, but you can register here:  https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1

------------------------------
Stephanie Wilkerson
IBM

Original Message:
Sent: Tue December 14, 2021 01:36 PM
From: Skid Minix
Subject: Log4j vulnerability

Are there any known patches or vulnerabilities relative to this latest security finding on Log4j? I am seeing if MQ will be affected running on Windows or Linux?

I guess it relatively early in the game but just checking??

Thanks.

------------------------------
Skid Minix
------------------------------

Most of my Linux servers are 9.1.0, I queried for the RPM and here is what it is showing, does the patch work for this version?

rpm -q MQSeriesBCBridge
MQSeriesBCBridge-9.1.0-0.x86_64

I am not aware of running this in our environment, but I do see it installed.

Do I need to install it?

Thanks.

Hi Skid,

MQ 9.1.0 LTS includes an older version of the Blockchain bridge, which uses a different Blockchain API (Blockchain composer), with a different set of open source dependencies. It is MQ 9.1.4 CD and later (including 9.2.0 LTS) which ship the new version of the blockchain bridge, which uses the Fabric Gateway API described by the security bulletin.

Thanks

------------------------------
Chris Leonard
------------------------------

Original Message:
Sent: Thu December 16, 2021 08:34 AM
From: Skid Minix
Subject: Log4j vulnerability

Most of my Linux servers are 9.1.0, I queried for the RPM and here is what it is showing, does the patch work for this version?

rpm -q MQSeriesBCBridge
MQSeriesBCBridge-9.1.0-0.x86_64

I am not aware of running this in our environment, but I do see it installed.

Do I need to install it?

Thanks.

------------------------------
Skid Minix

Original Message:
Sent: Thu December 16, 2021 04:15 AM
From: Rob Parker
Subject: Log4j vulnerability

Hiya,

IBM MQ has released the following security bulletin detailing an affected IBM MQ Component. Please read the bulletin to determine whether you are affected and the steps to resolve: https://www.ibm.com/support/pages/node/6526274

Additionally, IBM MQ has released a separate bulletin that details what components use and ship Log4j. That bulletin is available here: https://www.ibm.com/support/pages/node/6526544

IBM Policy states that communications around whether a product and it's components are affected by any vulnerability must be done via security bulletins. Additionally, the standard policy is that Products and components only produce security bulletins when they are affected and do not produce bulletins when they are not. However, for this vulnerability IBM are producing a list of products that have indicated they are not affected and publishing that list here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

For further information on IBM's response to this Log4j vulnerability please see the following blog post: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Best wishes,

------------------------------
Rob Parker
Security Focal, IBM MQ
IBM UK Ltd

Original Message:
Sent: Tue December 14, 2021 03:02 PM
From: Skid Minix
Subject: Log4j vulnerability

Thanks, I already signed up for this WebEx. I appreciate the update!

------------------------------
Skid Minix

Original Message:
Sent: Tue December 14, 2021 02:55 PM
From: Stephanie Wilkerson
Subject: Log4j vulnerability

Hi Skid,
Great to see that you found posts about this, but for others, watch this blog for details. The community team will also be monitoring to post in specific topic groups: https://www.ibm.com/blogs/psirt/

Here is the overall blog from IBM: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

There is also a great webinar from the security team this week covering: 

• Get the latest information about this flaw from our X-Force team
• Learn how to check for vulnerable versions of Apache Log4j in your environment
• Understand how to reduce the risk of an attack against your organization

It won't be product-specific, but you can register here:  https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1

------------------------------
Stephanie Wilkerson
IBM

Original Message:
Sent: Tue December 14, 2021 01:36 PM
From: Skid Minix
Subject: Log4j vulnerability

Are there any known patches or vulnerabilities relative to this latest security finding on Log4j? I am seeing if MQ will be affected running on Windows or Linux?

I guess it relatively early in the game but just checking??

Thanks.

------------------------------
Skid Minix
------------------------------

Okay thanks, so I am assuming I am good....

Found this script online to check for possible Linux log4j vulnerabilities, might be helpful?

wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - | bash