Free Advice log4j Vulnerability on IBM i, take it or leave it, *no
guarantee.*

*Step 1*

Run Jesse's Gorzinki's script
https://github.com/ThePrez/IBMiOSS-utils/blob/master/avoid_log4shell.sh
Restart all system Java stuff.

*Step 2*

You're looking for jars of log4j version 2.x that contain the Java class
JndiLookup.class
If they are log4j 1.x you have a different problem, it's time to upgrade.
Here is an interactive bash shell session looking for stuff.

$ cd / $ for i in `find . | grep log4j | grep .jar`; do echo $i; jar tf $i
| grep -i jndi; done # Looks for any log4j jar and prints name then looks
to see if it contains a class with the string "jndi" in any mixture of case
$ for i in `find . | grep '\.ear^`; do echo $i ; jar tf $i | grep -i log4j;
done
# Looks for any .ear file that contains a log4j jar ... if you see "log4j"
appear, unpack that .ear using jar -xf filename.ear in a temp dir and
examine the log4j* jar
$ for i in `find . | grep '\.war^`; do echo $i ; jar tf $i | grep -i log4j;
done
# Looks for any .war file that contains a log4j jar ... if you see "log4j"
appear, unpack that .war using jar -xf filename.war in a temp dir and
examine the log4j* jar


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.