Looks like IBM has issued PTFs to disable the heritage Navigator.
V7R3 - SF78120
IBM Navigator for i - heritage version uses log4j v1.x and cannot be updated to log4j v2.x or be removed from use. The issue can be fixed by discontinuing the use of the heritage version of IBM Navigator for i. The fix will disable the ADMIN2 server (where the heritage Navigator runs) from starting and running without user interaction. Additionally, the userdata runtime cache files (where the reference to log4j can be found) are deleted by this fix. The issue can be fixed by applying PTFs to IBM i. Releases 7.4, 7.3, and 7.2 of IBM i will be fixed.
It is strongly recommended that heritage Navigator not be used, however if there are key features required, heritage Navigator can be enabled and started temporarily at your own risk. To do so, refer to these instructions:
https://www.ibm.com/support/pages/heritage-navigator-enable-and-disable-instructions
Note: If heritage Navigator is started, the userdata cache files are re-created and will have to be manually removed. Details are in the above link.
Statement of direction - IBM intends to update this bulletin in the future when a new HTTP Server group PTF level removes IBM Navigator for i heritage version by deleting all associated files from the system for IBM i 7.3 & 7.4 releases.
The IBM i PTF numbers containing the fixes follow. Future Group PTFs for HTTP Server will also contain the fixes for this CVE.
IBM i Release HTTP Server group PTF
IBM i 7.4 SF99662 level 19
IBM i 7.3 SF99722 level 38
IBM i 7.2 SF99713 level 49
Paul
From: IBM My Notifications <mynotify@xxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, March 2, 2022 9:21 AM
To: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) (2022.03.02)
________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not click on any links or open attachments unless the sender is known, and the content is verified as safe.
________________________________
IBM My Notifications
See what's new at IBM Support <
https://www.ibm.com/mysupport/s/community-releases?language=en_US>
IBM i
Security bulletin: Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) <
https://www.ibm.com/support/pages/node/6539162?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E>
Multiple sub-components of IBM i ship log4j version v1.x files making them vulnerable to the issue described in the vulnerability details section. IBM Navigator for i - heritage version uses log4j v1.x and cannot be updated to log4j v2.x. Integrated Web Server (IWS) V2.6 contains unused references to log4j v1.x packages. IBM i 7.2 - Integrated Application Server (IAS) V7.1 & V8.1 and Integrated Web Server (IWS) V1.3 & V1.5 use log4j v1.x and cannot be updated to log4j v2.x. IBM i Access Client Solutions (ACS) version 1.1.8.6 and earlier included an unused log4j v1.x jar file. IBM i has addressed the applicable CVE as described in the Remediation/Fixes section.
Subscribe or Unsubscribe<
https://www.ibm.com/support/mynotifications> | Feedback<
https://render-prd-trops.events.ibm.com/support/pages/feedback/techFeedbackCardContentMyNotifications.html>
Get help with technical questions on the IBM Support Forum<
https://www.ibm.com/mysupport/s/forumshome>
To ensure proper delivery please add mynotify@xxxxxxxxxxxxxxxxxxxx<mailto:mynotify@xxxxxxxxxxxxxxxxxxxx> to your address book.
You received this email because you are subscribed to IBM My Notifications as:
psteinmetz
Please do not reply to this message as it is generated by an automated service machine.
©International Business Machines Corporation 2022. All rights reserved.
midrange.com
