As most of you know already a vulnerability was detected (Log4Shell – CVE-2021-44228) in the popular java logging framework Log4j. Some of our customers had some questionq on how this impacts the IBM middleware products.
IBM has created a blog with all the latest official IBM communication. You can find it in the link below:
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
Currently, the entire IT world is looking into Log4j, and during the last few days, 3 new releases were delivered. At the time of writing 2.17 is the latest release of log4j. As described in the blog IBM is trying to remove the dependencies to Log4j where it can or update to the latest version. If it is not able to remove the dependency this can result in new fixes in the future for the impacted products.
In the meantime, we recommend that you perform the following actions:
- Make sure to update your products with the latest fix and closely follow up additional fixes.
- Check the firewall settings of your system. Make sure to only allow outbound connections to trusted servers.
- Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS with a value of true. This will disable the jndi lookup. You need to set this on all the servers running the impacted products.
If you are not sure if you are impacted or need help in upgrading, don’t hesitate to contact us.
GENERAL
If you are running custom code (on IIB, ACE, …) and are using Log4j chances are high that you are impacted. You should upgrade Log4j to version 2.17.
IBM INTEGRATION BUS V10
Some versions have been impacted. An interim fix (IT39458) is already available in fix central.
Affected versions:
• V10.0.0.6 to V10.0.0.25
https://www.ibm.com/support/pages/node/6529056
APP CONNECT ENTERPRISE V11 + V12
Some versions have been impacted. An interim fix (IT39458) is already available in fix central.
Affected versions:
- V11.0.0.10 to V11.0.0.15
- V12.0.1.0 to V12.0.3.0
See https://www.ibm.com/support/pages/node/6529056 for more information.
IBM MQ
Not impacted
IBM MQ ADVANCED
Affected versions:
- V 9.1 CD
- V 9.2 CD
- V 9.2 LTS
Only the Blockchain Bridge has been impacted. Other components are not impacted. An interim fix (IT39386) is already available in fix central.
See https://www.ibm.com/support/pages/node/6526274 for more information.
DATAPOWER
Not affected
See https://www.ibm.com/support/pages/node/6525862 for more information.
IBM API CONNECT V10
All versions are impacted. A fix (APAR LI82440) is available in fix central.
See https://www.ibm.com/support/pages/node/6529228 for more information.
IBM API CONNECT V2018
All versions are impacted. A fix (APAR LI82440) is available in fix central.
See https://www.ibm.com/support/pages/node/6529228 for more information.
Jef Jansen
IBM Integration Specialists
Enabling Digital Transformations.
Recent news
Let's get in touch...
Find us here
Veldkant 33B
2550 Kontich
Belgium
Pedro de Medinalaan 81
1086XP Amsterdam
The Netherlands
© 2019 Integration Designers - Privacy policy - Part of Cronos Group & integr8 consulting