I also sent a ticket into IBM and they came back with the PSIRT site.
I started looking around and am also not sure about where to look on the IBM i side for any issues. We're going to have our network guy run
A tenable scan on our IBM I's. I also have PowerTech and can scan for viruses.
We used to use Websphere but it's been turned off. We are licensed for DB2 Web Query but it's not used.
https://www.ibm.com/blogs/psirt/
I was also looking at these:
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
https://www.ibm.com/blogs/psirt/
https://www.ibm.com/support/pages/node/6525706
https://support.hcltechsw.com/csm?id=kb_article&sys_id=7d24111b1b188910a2f48661cd4bcb94&spa=1
https://support.hcltechsw.com/community?id=community_question&sys_id=a48372d2871449d85440c9d8cebb35ba
Very Respectfully,
Michael Mayer
IBM i on Power System Admin.
IT Operations.
The Florida Bar
651 E. Jefferson St
Tallahassee, Florida 32399-2300
mmayer@xxxxxxxxxxxxxx
https://www.floridabar.org
Office: 850.561.5761
Cell: 518.641.8906
-------------------------------------------------------------------------------
2. RE: Remote code execution exploit found in Log4j -
CVE-2021-44228 (Greg Wilburn)
-------------------------------------------------------------------------------
------------------------------
message: 2
date: Mon, 13 Dec 2021 15:41:13 +0000
from: Greg Wilburn <gwilburn@xxxxxxxxxxxxxxxxxxxxxxx>
subject: RE: Remote code execution exploit found in Log4j -
CVE-2021-44228
IBM Support's response is to push you to the blog
https://www.ibm.com/blogs/psirt/
Which then references the link below. Nothing in the link below tells me anything about the IBM i specifically. I added the environment variable and restarted DB2 Web Query. But beyond that, the steps are Greek to me.
The only application we have externally facing is DB2 Web Query. I asked if it was affected... support just keeps reiterating "our only communication is via the blog"
I have never seen IBM support so "evasive" about an issue.
------------------------------------
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob Berendt
Sent: Monday, December 13, 2021 9:50 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Remote code execution exploit found in Log4j - CVE-2021-44228
Well does "Admin applications" include "WebSphere Application Server Admin Console"?
If so then:
<snip>
There is a vulnerability in the Apache Log4j open source library used by WebSphere Application Server. This affects the WebSphere Application Server Admin Console and the UDDI Registry Application. This vulnerability has been addressed.
</snip>
https://www.ibm.com/support/pages/node/6525706
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Greg Wilburn
Sent: Monday, December 13, 2021 9:20 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Remote code execution exploit found in Log4j - CVE-2021-44228
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
What I mean was IBM-supplied applications, such as:
Admin applications
Web Query (WQLIB85)
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Kevin Bucknum
Sent: Monday, December 13, 2021 9:17 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: Remote code execution exploit found in Log4j - CVE-2021-44228
By Apache instances you mean the Apache web server? This isn't a bug in the Apache web server. It's a bug in a java logging library that is commonly used. If your web server fronts a java application, then it may possibly be affected. If you have Apache serving static pages or CGI via RPGLE or some other non java language, then you should be ok. One thing to watch for. We feed all of our logs to a common log server that was affected.
On Mon, 2021-12-13 at 13:48 +0000, Greg Wilburn wrote:
So how do we know whether our system is affected by this?
Does this apply to all Apache instances?
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>> On Behalf Of Rob Berendt
Sent: Monday, December 13, 2021 7:27 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
Subject: RE: Remote code execution exploit found in Log4j - CVE-2021-44228
Anyone see any issues with following the recommendation by Jesse Gorzinski at
https://twitter.com/IBMJesseG/status/1470236777579532292
<snip>
ADDENVVAR ENVVAR(JAVA_TOOL_OPTIONS) VALUE('-Dlog4j2.formatMsgNoLookups=true') REPLACE(*YES) LEVEL(*SYS) Might be a good idea until the impact assessment is complete </snip>
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>> On Behalf Of Rob Berendt
Sent: Monday, December 13, 2021 6:02 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
Subject: RE: Remote code execution exploit found in Log4j - CVE-2021-44228
Midnight hour update about WAS on IBM i
https://www.ibm.com/support/pages/node/6525706
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>> On Behalf Of Charles Wilt
Sent: Friday, December 10, 2021 2:19 PM
To: Java Programming on and around the iSeries / AS400 <java400-l@xxxxxxxxxxxxxxxxxx<mailto:java400-l@xxxxxxxxxxxxxxxxxx>>; Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
Subject: Remote code execution exploit found in Log4j - CVE-2021-44228
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
(cross posted to Java400 and Midrnage-L)
Anybody seen any information about the Java apps used by the OS?
Charles
https://www.lunasec.io/docs/blog/log4j-zero-day/
*Updated @ December 10th, 10am PST*
A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short
(CVE-2021-44228 just isn't as memorable).
The 0-day was tweeted
<
https://twitter.com/P0rZ9/status/1468949890571337731> along with a POC posted on GitHub <
https://github.com/tangxiaofeng7/apache-log4j-poc>. Since this vulnerability is still very new, there isn't a CVE to track it yet. This has been published as CVE-2021-44228 <
https://www.randori.com/blog/cve-2021-44228/> now.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
[
https://www.medtronsoftware.com/img/MedtronMinilogo.bmp]
Kevin Bucknum
Senior Programmer Analyst
MEDDATA / MEDTRON
120 Innwood Drive
Covington LA 70433
Local: 985-893-2550<tel:985-893-2550>
Toll Free: 877-893-2550<tel:877-893-2550>
https://www.medtronsoftware.com
CONFIDENTIALITY NOTICE
This document and any accompanying this email transmission contain confidential information, belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, or the employee of agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or action taken in reliance on the contents of these documents is STRICTLY PROHIBITED. If you have received this email in error, please notify the sender immediately to arrange for return or destruction of these documents.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
------------------------------
message: 3
date: Mon, 13 Dec 2021 15:41:45 +0000
from: Rob Berendt <rob@xxxxxxxxx>
subject: How to tell if the last IPL was in normal or manual mode?
How can you tell if the last IPL was done in manual or normal mode?
Changing the panel changes the value of DSPIPLA on the fly. (just tested and confirmed this)
So far the closest I've found is
CPF0905 - Attended IPL in progress.
vs
CPF0903 - Unattended IPL in progress.
With CPF0903 you'll see:
CPI35AB - Apply PTF started.
With CPF0905 you will not see CPI35AB and you'll end up with WRKPTFGRP showing stuff like:
Status
Apply at next IPL
Any other way to check? Someone could purge DSPLOG.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
------------------------------
Subject: Digest Footer
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) digest list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://amazon.midrange.com
------------------------------
End of MIDRANGE-L Digest, Vol 20, Issue 1673
********************************************
________________________________
Please note: Florida has very broad public records laws. Many written communications to or from The Florida Bar regarding Bar business may be considered public records, which must be made available to anyone upon request. Your e-mail communications may therefore be subject to public disclosure.
As an Amazon Associate we earn from qualifying purchases.