AIX Open Source

 View Only
  • 1.  LOG4j vulnerability in Connect Direct (log4j-core-2.12.0.jar)

    Posted Thu May 12, 2022 12:45 AM
    Hi Team,
    We've found log4j vulnerability in our AIX server. As AIX (all version) has been added to the non affected list. We've checked other application with jar file log4j-core-*.jar in its classpath.

    Below is our finding
    dalvic1:/# ls -lrt /usr/local/cdunix_v4.3.0.1/install/agent/bin/lib/log4j-core-2.12.0.jar
    -rwx------ 1 cdadm staff 1667269 Sep 02 2020 /usr/local/cdunix_v4.3.0.1/install/agent/bin/lib/log4j-core-2.12.0.jar

    So as per IBM document we have applied the fix and we have upgraded our log4j*.jar file from version 2.12.0 to 2.15.0 alongside the application Connect Direct which was using it.

    IBM DOC: https://www.ibm.com/support/pages/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-connectdirect-unix-cve-2021-44228

    But still log4j vulnerability is detected in our AIX server.

    As I believe the environment variable(LOG4J_FORMAT_MSG_NO_LOOKUPS=true) should be true. So can anyone please help me out how to find the environment variable value and also how to resolved this log4j vulnerability in connect direct.

    I've tried to find the env variable value but no luck.
    dalsa1:/# printenv | grep -i log4j
    dalsa1:/#
    dalsa1:/# echo $LOG4J_FORMAT_MSG_NO_LOOKUPS
    dalsa1:/#


    ------------------------------
    Virendra Singh
    ------------------------------


  • 2.  RE: LOG4j vulnerability in Connect Direct (log4j-core-2.12.0.jar)

    Posted Fri May 13, 2022 02:17 AM
    I am not sure if people in this community have knowledge/information about connect direct.
    I would suggest to open a case with connect direct. It has nothing to do with AIX as log4j is provided by connect direct.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 3.  RE: LOG4j vulnerability in Connect Direct (log4j-core-2.12.0.jar)

    Posted Fri May 13, 2022 03:29 PM
    As Sanket explained, you should open a case with Connect Direct support, but I would also check with the provider of the vulnerability scanner, to see wha/howt it is checking for the vulnerability.

    Note:  Per Apache, $LOG4J_FORMAT_MSG_NO_LOOKUPS=true was a discredited mitigation measure.

    See the "Older (discredited) mitigation measures" section here
    https://logging.apache.org/log4j/2.x/security.html



    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------