Log4J Vulnerability And Capitalware Products

December 11, 2021 Roger Lacroix

For those who have not heard, there is a new vulnerability in Log4J v2.x. Here is a link to the Log4J v2.x vulnerability:
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

The Log4J v2.x vulnerability is related to the ‘lookups’ feature that was introduced in version 2.

Lookups provide a way to add values to the log4j configuration at arbitrary places. They are a particular type of Plugin that implements the StrLookup interface.

Any application that is using Log4J v2.x needs to upgrade to Log4J v2.16.0 (or later) immediately.

No Capitalware product uses Log4J v2.x.

There are 4 Capitalware product using Log4J v1.x. Note: Log4J v1.x does not have the ‘lookups’ feature, hence, it is not at risk of the vulnerability described above.

MQ Batch Toolkit
JAAS for MQAUSX (JAUSX) which is an auxiliary component of MQAUSX
Audit Queue Off Load (AQOL) which is an auxiliary component of MQ Auditor
Universal File Mover (UFM)

End-users cannot change the Log4J jar file in MQ Batch Toolkit because it is compiled and linked using Excelsior Jet. Both AQOL and UFM are supplied as a regular form with a script / batch file to launch them. If the Log4J v1.x was upgraded in either JAUSX, AQOL and/or UFM to Log4J v2.x then it is the responsibility of the end-user to immediately either (1) put back Log4J v1.x or (2) download and install Log4J v2.16.0 (or later).

Note: None of the 4 components use the JMSAppender with Log4J v1.x.

Please take this vulnerability seriously.

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in Capitalware, IBM i (OS/400), Java, JMS, Linux, macOS (Mac OS X), MQ Auditor, MQ Batch Toolkit, Open Source, Programming, Raspberry Pi, Security, Universal File Mover, Unix, Windows.

Comments are closed.

Search for:
Recent Posts
Blog Calendar
July 2024

M T W T F S S

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30 31

« May
Capitalware
Archives
Archives
Categories
IBM MQ
- Terms of Use
- Using TLS 1.3 to connect a WebSphere Application Server 9.0.5.20 to an IBM MQ 9.4 Queue Manager, using self-signed certificates July 14, 2024
- Downloading the IBM MQ 9.4 initial release July 11, 2024
- IT45988: MFT Agent abends with NullPointerException when processing Partitioned Data Sets on z/OS. July 10, 2024
- IBM MQ Replicated Data Queue Manager Kernel Modules July 9, 2024
- System Requirements for IBM MQ July 8, 2024
- Is there a way to delete a single message from an IBM MQ queue (arbitrary position in the queue)? July 8, 2024
- For the IBM MQ rpm filesets in Linux, how to find out their dependencies? July 6, 2024
- Installing and uninstalling IBM MQ 9.4 in Linux RHEL July 6, 2024
- New objects and new attributes for objects in IBM MQ 7.1, 7.5, 8.0, 9.0, 9.1, 9.2, 9.3 and 9.4 LTS July 6, 2024
WebSphere MQ
- Terms of Use
- System Requirements for IBM MQ July 8, 2024
- Cumulative security update (CSU) 9.1.0.22 for IBM MQ on Linux 64-bit,x86_64 June 26, 2024
- Cumulative security update (CSU) 9.1.0.22 for IBM MQ on Solaris 64-bit,SPARC June 26, 2024
- Cumulative security update (CSU) 9.1.0.22 for IBM MQ on Linux 64-bit,zSeries June 26, 2024
IBM Developer Messaging Blog
T.Rob’s Store and Forward
- MQ Safety Tips for the Pandemic April 5, 2020
- Command Server Gotcha May 14, 2018
- Client-based runmqsc gotcha May 3, 2018
- When deprecated != deprecated January 19, 2018
- Parsing MQ error logs in Splunk December 19, 2017
Mark Taylor’s Blog
- Retiring SupportPac MS0P June 24, 2024
- MQ Spring Boot: Advanced Configuration and Transactions June 14, 2024
- Passwords with runmqsc scripts April 4, 2024
- MQ Metrics with OpenTelemetry March 1, 2024
- Handling MQ logs and events with OpenTelemetry February 10, 2024
Lyns Random Thoughts
Leif Davidsen’s Blog
Colin Paice on MQ
- Linux: Why are my cursor keys not working? July 12, 2024
- Get your granny to read it before you distribute it July 12, 2024
- RACF – I cannot delete a certificate! July 7, 2024
- Setting up a JES2 output NJE TCPIP node as a client using AT-TLS July 3, 2024
- Setting up JES2 input NJE node (server) and AT-TLS July 3, 2024
- Setting up JES2 NJE using TCP/IP July 3, 2024
- z/OS systems-ssl strange behaviour with environment variables June 25, 2024
- Destination unreachable, Port unreachable. Which firewall rule is blocking me? June 25, 2024
- Non functional requirements: backups June 10, 2024
- Non functional requirements: do not create a straitjacket. June 10, 2024
StackOverflow MQ Questions
- connecting to ibm MQ with TLS July 11, 2024
- BackOff and transactional not working for mesage handling only for listener setup July 8, 2024
- C#.Net IBM MQ Multi threaded application Connection Issue with Username and Password July 4, 2024
- IBM MQ with multiple listener for same queue July 2, 2024
- 2012 MQRC_ENVIRONMENT_ERROR using IBM MQ Classes for C++ June 30, 2024
- Could not establish a connection to the queue manager. Channel not available (AMQ4870) June 24, 2024
- Cached JMS Session object is printing as null in JmsTemplate June 24, 2024
- How do I set up an SSL connection to an IBM MQ using IBMXMSDotnet on .NET 8 on a Linux system? June 20, 2024
- Completion Code '2', Reason '2035' While using com.ibm.mq.allclient June 20, 2024
- Connect as Reconnectable client in MQ uniform clusters, application hosted in Open liberty uses MQ adapter to connect MQ Qmgr June 19, 2024
StackOverflow MQTT Questions
- Why is it recommended to make separate device certificates for connecting to AWS IoT Core MQTT endpoint? July 14, 2024
- Running MQTT publish command in Laravel queue with database option fails but in sync it works July 11, 2024
- AWS IOT services for MQTT best practices [closed] July 11, 2024
- MQTT client cannot publish to brocker using MQTTS : certificats are valid in port 443 but not in port 8883 July 11, 2024
- how to connect two virtual machines (both ubuntu) using mqtt? [closed] July 10, 2024
- Zephyr os mqtt tls thingsboard : mqtt_connect fails with return -2 July 10, 2024
- Thingsbaoard Gateway cannot update attributes from server July 10, 2024
- Assist with MQTT (Mosquitto) service starting error July 8, 2024
- MQTT Over WebSocket and SSL connection is not working in iOS Swift July 8, 2024
- dockerized spring boot error while instantiating MqttClient July 8, 2024