Hi Team,
We're trying to mitigate the log4j vulnerability from our AIX server by removinf JNDI lookup class from .jar file. We've remove the JNDI lookup from linux environment using zip utility. But when we trying the same in AIX environment we're unable to do so. We trying install the zip utility but due lot some dependencies we're unable to install the same. 

We've AIX 7100-05-08-2114 oslevel. Please find the logs during installation of zip utility. Kindly let us know how to get install this zip utility / if we've any other way to remove the JNDI class from .jar file.

Command we used:
zip -q -d log4j-core-2.12.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class  

unable to resolve the dependencies: 
AIX-rpm >= 7.2.0.0 is needed by libgcc6-6.3.0-2.ppc

Zip utility installation log:
> rpm -ivh zip-3.0-4.aix6.1.ppc.rpm
error: Failed dependencies:
bzip2 >= 1.0.8-2 is needed by zip-3.0-4.ppc

> rpm -qa | grep -i bzip2
bzip2-1.0.2-4.ppc

> rpm -U bzip2-1.0.8-2.aix6.1.ppc.rpm
error: Failed dependencies:
libgcc >= 6.3.0-2 is needed by bzip2-1.0.8-2.ppc

> rpm -qa | grep -i libgcc
libgcc-4.2.0-3.ppc

> ls -ltr
total 7120
-rw-r----- 1 dassu unixadm 243981 May 20 11:57 bzip2-1.0.8-2.aix6.1.ppc.rpm
-rw-r----- 1 dassu unixadm 962982 May 20 11:59 libgcc6-6.3.0-2.aix7.2.ppc.rpm
-rw-r----- 1 dassu unixadm 400664 May 23 17:09 zip-3.0-4.aix6.1.ppc.rpm
-rwx------ 1 dassu unixadm 1789769 May 23 17:10 log4j-core-2.15.0.jar
-rw-r----- 1 dassu unixadm 14559 May 23 17:10 libgcc-8-1.aix6.1.ppc.rpm
-rw-r----- 1 dassu unixadm 222035 May 23 17:10 bzip2-devel-1.0.8-2.aix6.1.ppc.rpm

> rpm -qa | grep -i bzip2
bzip2-1.0.2-4.ppc
jaguar:/home/dassu/zip> rpm -U libgcc6-6.3.0-2.aix7.2.ppc.rpm
error: Failed dependencies:
AIX-rpm >= 7.2.0.0 is needed by libgcc6-6.3.0-2.ppc
jaguar:/home/dassu/zip> rpm -qa | grep -i AIX-rpm
AIX-rpm-7.1.5.33-9.ppc
jaguar:/home/dassu/zip> oslevel -s
7100-05-08-2114
jaguar:/home/dassu/zip>


------------------------------
Virendra Singh
------------------------------

To solve the immediate problem of mitigating log4j by removing a class from the jar file, I'm pretty sure that you should be able to use your Linux system to alter the AIX file and then copy the updated file back to AIX.
Unless I'm mistaken, the zip format is compatible between both OS's, (as is the jar, I think) and the OS-or-machine-specific parts are the files contained within the zip/jar.
If you extract the parts of the AIX file with Linux zip and put it back together without the bad class, the file should still be usable on AIX.
I wouldn't bet my life on it, but it's definitely worth a try.

After that, you can work on the problem of installing zip on AIX, if you still want to.

------------------------------
Michael Shon
------------------------------

Original Message:
Sent: Mon May 23, 2022 04:45 AM
From: Virendra Singh
Subject: JNDI lookup deletion from .jar file using zip utility.

Hi Team,
We're trying to mitigate the log4j vulnerability from our AIX server by removinf JNDI lookup class from .jar file. We've remove the JNDI lookup from linux environment using zip utility. But when we trying the same in AIX environment we're unable to do so. We trying install the zip utility but due lot some dependencies we're unable to install the same. 

We've AIX 7100-05-08-2114 oslevel. Please find the logs during installation of zip utility. Kindly let us know how to get install this zip utility / if we've any other way to remove the JNDI class from .jar file.

Command we used:
zip -q -d log4j-core-2.12.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class  

unable to resolve the dependencies: 
AIX-rpm >= 7.2.0.0 is needed by libgcc6-6.3.0-2.ppc

Zip utility installation log:
> rpm -ivh zip-3.0-4.aix6.1.ppc.rpm
error: Failed dependencies:
bzip2 >= 1.0.8-2 is needed by zip-3.0-4.ppc

> rpm -qa | grep -i bzip2
bzip2-1.0.2-4.ppc

> rpm -U bzip2-1.0.8-2.aix6.1.ppc.rpm
error: Failed dependencies:
libgcc >= 6.3.0-2 is needed by bzip2-1.0.8-2.ppc

> rpm -qa | grep -i libgcc
libgcc-4.2.0-3.ppc

> ls -ltr
total 7120
-rw-r----- 1 dassu unixadm 243981 May 20 11:57 bzip2-1.0.8-2.aix6.1.ppc.rpm
-rw-r----- 1 dassu unixadm 962982 May 20 11:59 libgcc6-6.3.0-2.aix7.2.ppc.rpm
-rw-r----- 1 dassu unixadm 400664 May 23 17:09 zip-3.0-4.aix6.1.ppc.rpm
-rwx------ 1 dassu unixadm 1789769 May 23 17:10 log4j-core-2.15.0.jar
-rw-r----- 1 dassu unixadm 14559 May 23 17:10 libgcc-8-1.aix6.1.ppc.rpm
-rw-r----- 1 dassu unixadm 222035 May 23 17:10 bzip2-devel-1.0.8-2.aix6.1.ppc.rpm

> rpm -qa | grep -i bzip2
bzip2-1.0.2-4.ppc
jaguar:/home/dassu/zip> rpm -U libgcc6-6.3.0-2.aix7.2.ppc.rpm
error: Failed dependencies:
AIX-rpm >= 7.2.0.0 is needed by libgcc6-6.3.0-2.ppc
jaguar:/home/dassu/zip> rpm -qa | grep -i AIX-rpm
AIX-rpm-7.1.5.33-9.ppc
jaguar:/home/dassu/zip> oslevel -s
7100-05-08-2114
jaguar:/home/dassu/zip>


------------------------------
Virendra Singh
------------------------------