HMC

 View Only
Expand all | Collapse all

HMC and Log4j

  • 1.  HMC and Log4j

    Posted Mon December 13, 2021 09:16 AM
    Hi,
    anyone have any idea if the HMC is in any way affected by the recent log4j vulnerability?
    Would be nice to know if I need to start the planning of emergency HMC updates or not.

    If all else fails I can log a call with IBM but wondered if anyone else had already been privy to any relevant info.

    Matt

    ------------------------------
    Matt Dulson
    ------------------------------


  • 2.  RE: HMC and Log4j

    Posted Tue December 14, 2021 08:55 AM
    Hi!

    Well, that's not final proof, but there is at least one indication, that HMCs might not be affected:
    hscroot@mqde01hmcsap01:~> ls /usr/share/java/log4j*
    /usr/share/java/log4j12-1.2.17.jar /usr/share/java/log4j-1.2.17.jar /usr/share/java/log4j-1.jar

    So while log4j is installed, that version isn't affected.... Disclaimer: That doesn't mean, that there is an affected version installed anywere else.


    Best regards,
      Alexander

    PS: Looking at HMC V9R2 M950.

    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 3.  RE: HMC and Log4j

    Posted Tue December 14, 2021 09:36 AM
    Hello!

    there are more log4j-Files in several subdirectories under
    • /opt/apache-tomcat-7.0.105
    • opt/hmc/share/jars-9.2.950.5
    e.g. /opt/apache-tomcat-7.0.105/usr/servers/pmc/apps/pmc-ui-war-9.2.950.5-2103160809.war/WEB-INF/lib/log4j-core-2.13.3.jar

    We also use HMC V9R2 M950.

    Best regards
       Winfried

    ------------------------------
    Winfried Oesterle
    AIX Administrator
    ------------------------------



  • 4.  RE: HMC and Log4j

    Posted Tue December 14, 2021 01:02 PM
    Thanks for correcting my earlier post!

    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 5.  RE: HMC and Log4j

    Posted Wed December 15, 2021 12:37 PM





  • 6.  RE: HMC and Log4j

    Posted Tue December 14, 2021 04:11 PM
    Looking at HMC V9R2 M950 I am also seeing quite a few entries under /proc with the log4j2.xml extension

    /proc/XXXX/root/console/log4j2.xml

    among others.

    Stephen Beaton - UNIX Administrator


    ------------------------------
    Stephen Beaton
    ------------------------------



  • 7.  RE: HMC and Log4j

    IBM Champion
    Posted Tue December 14, 2021 10:09 PM
    Hi All
    last night IBM published the HMC Fixes for all GA Code levels against LOG4J Problem.
    Check Fix Central accordingly please ! I have already downloaded the update.
    thx
    vince

    ------------------------------
    Vincencio Michaelis
    ------------------------------



  • 8.  RE: HMC and Log4j

    Posted Wed December 15, 2021 02:50 AM
    Direct link to the fixes:
    Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
    and the bulletin:
    Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC - IBM PSIRT Blog

    ------------------------------
    Levente Szente
    ------------------------------



  • 9.  RE: HMC and Log4j

    Posted Wed December 15, 2021 04:29 AM
    Hi all,

    I'm a bit confused.... The announcement the announcements list the affected versions as
    HMC V9.2.950.0 V9.2.950.0


    but the published fixes require HMC V9 R2 952.1, which is not on the list of affected versions.


    Just for safety, we'll roll them out, even though we think we might be safe, but if I'm reading anything wrong here, please let me know were my mistake is.


    Best regards,
      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 10.  RE: HMC and Log4j

    Posted Thu December 16, 2021 05:03 AM
    Hi!

    IBM updated the advisories:

    So it makes sense and good thing we already started updating ours :)


    Best regards,
      Alexander

    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 11.  RE: HMC and Log4j

    Posted Thu December 16, 2021 10:48 AM

    We're in the same boat here, at 951 so we need to upgrade to 952 the apply the fix.  We started rolling this out, and if you check SP 952's readme it has this know issue listed in it:

    Kerberos user cannot login from GUI, such user should continue to use CLI.

    And as expected as soon as we applied the SP we couldn't login to the GUI with any accounts setup with kerberos.

    This is a pretty serious known issue, when is a fix going to be released?

    Jason



    ------------------------------
    Jason Vannest
    ------------------------------



  • 12.  RE: HMC and Log4j

    Posted Mon December 20, 2021 11:12 AM
    I opened a case up about the kerberos issue - This is what they told me - I had to switched to LDAP to get around this until they release a fix.

    <lightning-formatted-rich-text c-r2casefeed_r2casefeed="" class="r2-case-feed-author slds-rich-text-editor__output">zhthaxto (IBM)</lightning-formatted-rich-text>
    Dec 09, 2021, 08:14

    Matt,

    I spoke with development about the issue, and users were blocked due to a fix that was implemented to prevent expired passwords from working. This issue was noticed with the change in drivers that handle kerb authentication on the HMC.

    In 1011 there will be a way to disable this fix, thus allowing GUI logins. However, this workaround will also allow expired passwords. This workaround is only for customers who are not concerned with expired passwords. Development is also working on a full fix in a future release date.

    Please let us know if there are any further questions or concerns.

    Known issues and limitations

    • Kerberos user cannot login from GUI, such user should continue to use CLI.
    • Kerberos server requires to be reconfigured using below CLI after update from 950 SP1 and PTFs.
      Recommended CLI commands :
      chhmc -c kerberos -s remove –realm <kerberos_hostname> -a <kerberos_ip>
      chhmc -c kerberos -s add --realm <kerberos_hostname> -a <kerberos_ip>


    ------------------------------
    Matt Geisler
    ------------------------------



  • 13.  RE: HMC and Log4j

    Posted Wed May 18, 2022 09:25 AM
    Looks like the fix for kerberos is released for this now... 

    PTF MH01925 - HMC V9 R2 952.4 for 7063 Machine Types or vHMC for PowerVM (5765-HMB)

    PTF MH01924 - HMC V9 R2 952.4 for 7042-CR9 Hardware or vHMC for x86_64 hypervisors (5765-HMW)

    Fixed the Kerberos client configuration issue that impacted the previous V9R2M952 iFixes: "Kerberos server requires to be reconfigured using below CLI after update from 950 SP1 and PTFs.
       
    Recommended CLI commands :
       
    chhmc -c kerberos -s remove –realm <kerberos_hostname> -a <kerberos_ip>
       
    chhmc -c kerberos -s add --realm <kerberos_hostname> -a <kerberos_ip"
    There is no need to reconfigure kerberos after apply of this PTF.

    ------------------------------
    Matt Geisler
    ------------------------------