Hi Team,
We've found log4j vulnerability in our AIX server. As AIX (all version) has been added to the non affected list. We've checked other application with jar file log4j-core-*.jar in its classpath.
Below is our findingdalvic1:/# ls -lrt /usr/local/cdunix_v4.3.0.1/install/agent/bin/lib/log4j-core-2.12.0.jar
-rwx------ 1 cdadm staff 1667269 Sep 02 2020 /usr/local/cdunix_v4.3.0.1/install/agent/bin/lib/
log4j-core-2.12.0.jarSo as per IBM document we have applied the fix and we have upgraded our log4j*.jar file from version
2.12.0 to 2.15.0 alongside the application Connect Direct which was using it.
IBM DOC: https://www.ibm.com/support/pages/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-connectdirect-unix-cve-2021-44228But still log4j vulnerability is detected in our AIX server.
As I believe the environment variable(LOG4J_FORMAT_MSG_NO_LOOKUPS=true) should be
true. So can anyone please help me out how to find the environment variable value and also how to resolved this log4j vulnerability in connect direct.
I've tried to find the env variable value but no luck.
dalsa1:/# printenv | grep -i log4j
dalsa1:/#
dalsa1:/# echo $LOG4J_FORMAT_MSG_NO_LOOKUPS
dalsa1:/#
------------------------------
Virendra Singh
------------------------------