AIX Open Source

 View Only
  • 1.  LOG4j vulnerability in Connect Direct (log4j-core-2.12.0.jar)

    Posted 14 days ago
    Hi Team,
    We've found log4j vulnerability in our AIX server. As AIX (all version) has been added to the non affected list. We've checked other application with jar file log4j-core-*.jar in its classpath.

    Below is our finding
    dalvic1:/# ls -lrt /usr/local/cdunix_v4.3.0.1/install/agent/bin/lib/log4j-core-2.12.0.jar
    -rwx------ 1 cdadm staff 1667269 Sep 02 2020 /usr/local/cdunix_v4.3.0.1/install/agent/bin/lib/log4j-core-2.12.0.jar

    So as per IBM document we have applied the fix and we have upgraded our log4j*.jar file from version 2.12.0 to 2.15.0 alongside the application Connect Direct which was using it.

    IBM DOC: https://www.ibm.com/support/pages/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-connectdirect-unix-cve-2021-44228

    But still log4j vulnerability is detected in our AIX server.

    As I believe the environment variable(LOG4J_FORMAT_MSG_NO_LOOKUPS=true) should be true. So can anyone please help me out how to find the environment variable value and also how to resolved this log4j vulnerability in connect direct.

    I've tried to find the env variable value but no luck.
    dalsa1:/# printenv | grep -i log4j
    dalsa1:/#
    dalsa1:/# echo $LOG4J_FORMAT_MSG_NO_LOOKUPS
    dalsa1:/#


    ------------------------------
    Virendra Singh
    ------------------------------


  • 2.  RE: LOG4j vulnerability in Connect Direct (log4j-core-2.12.0.jar)

    Posted 13 days ago
    I am not sure if people in this community have knowledge/information about connect direct.
    I would suggest to open a case with connect direct. It has nothing to do with AIX as log4j is provided by connect direct.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 3.  RE: LOG4j vulnerability in Connect Direct (log4j-core-2.12.0.jar)

    Posted 12 days ago
    As Sanket explained, you should open a case with Connect Direct support, but I would also check with the provider of the vulnerability scanner, to see wha/howt it is checking for the vulnerability.

    Note:  Per Apache, $LOG4J_FORMAT_MSG_NO_LOOKUPS=true was a discredited mitigation measure.

    See the "Older (discredited) mitigation measures" section here
    https://logging.apache.org/log4j/2.x/security.html



    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------