So I installed the PTF group and scanned for log4j again. It appears that all references in DB2 WebQuery have been updated to 2.16.
HOWEVER, I see from https://logging.apache.org/log4j/2.x/security.html
This:
Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Severity: High
CVSS: 7.5

Thoughts on exposing Web Query given this latest update?

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob Berendt
Sent: Tuesday, December 21, 2021 12:23 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for i


1. IBM i 7.4 Preventative Service Planning

- TITLE: Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for i
- URL: https://www.ibm.com/support/pages/node/6529238?myns=ibmivers&mync=E&cm_sp=ibmivers-_-NULL-_-E
- ABSTRACT: There are multiple vulnerabilities in Apache Log4j (CVE-2021-44228 and CVE-2021-45046) as described in the vulnerability details section. Apache Log4j is used by Db2 Web Query for i for generating logs and diagnostic traces in some of its components. IBM has addressed the vulnerability in Db2 Web Query for i.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.