HMC

 View Only
Expand all | Collapse all

HMC and Log4j

  • 1.  HMC and Log4j

    Posted Mon December 13, 2021 09:16 AM
    Hi,
    anyone have any idea if the HMC is in any way affected by the recent log4j vulnerability?
    Would be nice to know if I need to start the planning of emergency HMC updates or not.

    If all else fails I can log a call with IBM but wondered if anyone else had already been privy to any relevant info.

    Matt

    ------------------------------
    Matt Dulson
    ------------------------------


  • 2.  RE: HMC and Log4j

    Posted Tue December 14, 2021 08:55 AM
    Hi!

    Well, that's not final proof, but there is at least one indication, that HMCs might not be affected:
    hscroot@mqde01hmcsap01:~> ls /usr/share/java/log4j*
    /usr/share/java/log4j12-1.2.17.jar /usr/share/java/log4j-1.2.17.jar /usr/share/java/log4j-1.jar

    So while log4j is installed, that version isn't affected.... Disclaimer: That doesn't mean, that there is an affected version installed anywere else.


    Best regards,
      Alexander

    PS: Looking at HMC V9R2 M950.

    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 3.  RE: HMC and Log4j

    Posted Tue December 14, 2021 09:36 AM
    Hello!

    there are more log4j-Files in several subdirectories under
    • /opt/apache-tomcat-7.0.105
    • opt/hmc/share/jars-9.2.950.5
    e.g. /opt/apache-tomcat-7.0.105/usr/servers/pmc/apps/pmc-ui-war-9.2.950.5-2103160809.war/WEB-INF/lib/log4j-core-2.13.3.jar

    We also use HMC V9R2 M950.

    Best regards
       Winfried

    ------------------------------
    Winfried Oesterle
    AIX Administrator
    ------------------------------



  • 4.  RE: HMC and Log4j

    Posted Tue December 14, 2021 01:02 PM
    Thanks for correcting my earlier post!

    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 5.  RE: HMC and Log4j

    Posted Wed December 15, 2021 12:37 PM





  • 6.  RE: HMC and Log4j

    Posted Tue December 14, 2021 04:11 PM
    Looking at HMC V9R2 M950 I am also seeing quite a few entries under /proc with the log4j2.xml extension

    /proc/XXXX/root/console/log4j2.xml

    among others.

    Stephen Beaton - UNIX Administrator


    ------------------------------
    Stephen Beaton
    ------------------------------



  • 7.  RE: HMC and Log4j

    IBM Champion
    Posted Tue December 14, 2021 10:09 PM
    Hi All
    last night IBM published the HMC Fixes for all GA Code levels against LOG4J Problem.
    Check Fix Central accordingly please ! I have already downloaded the update.
    thx
    vince

    ------------------------------
    Vincencio Michaelis
    ------------------------------



  • 8.  RE: HMC and Log4j

    Posted Wed December 15, 2021 02:50 AM
    Direct link to the fixes:
    Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
    and the bulletin:
    Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC - IBM PSIRT Blog

    ------------------------------
    Levente Szente
    ------------------------------



  • 9.  RE: HMC and Log4j

    Posted Wed December 15, 2021 04:29 AM
    Hi all,

    I'm a bit confused.... The announcement the announcements list the affected versions as
    HMC V9.2.950.0 V9.2.950.0


    but the published fixes require HMC V9 R2 952.1, which is not on the list of affected versions.


    Just for safety, we'll roll them out, even though we think we might be safe, but if I'm reading anything wrong here, please let me know were my mistake is.


    Best regards,
      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 10.  RE: HMC and Log4j