And the New Navigator is flakey, buggy, and missing required functionality.
This will force us to use the old Heritage Navigator.
Now What??
Paul
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Mayer, Michael via MIDRANGE-L
Sent: Wednesday, March 2, 2022 3:01 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Cc: Mayer, Michael <MMayer@xxxxxxxxxxxxxx>
Subject: Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) (2022.03.02)
You beat me to the punch Paul. I was about to post exactly that.
For me, I'm running a multiple partition Power 9 S924 for my client at V7R2. Haven't been able to convince them to upgrade. I know that seems Lame to most of you but it's their box and their decision. They're moving material to Salesforce. Even the cost of extended maint wouldn't budge the needle.
I agreed to take this on due to 2 retirements a few years back and it's been a really good role for me even if I am a consultant with little say. My role is to Keep things running. And I have. Recently updated the HMC to V9R2M952 with MH01917 and 01VL950.092.045 (950.30) firmware.
Most if not all of the LOG4J V7R2 CVE PTF's are on the partitions.
That said, I was just planning out the latest Group PTF's, downtime dates, etc. When I read the IBM Notification, it is apparent At V7R2, I'd have a lot of manual work to do if I had to use EIM SSO and/or do any DNS work via heritage Nav if I had to bring it up.
Mgmt is now evaluating a move to V7R3. Due to Domino nervousness, moving to V7R4 makes them quake in their boots.
They're still at 9.0.1 FP2. V7R3 only requires FP6 or higher. V7R4 requires Domino 10.0 or higher.
I'm hopeful they'll finally agree to upgrade. They don't know when the complete move to Salesforce will be and I ran into That when I agreed to take this role on. As long as the IBM i is here, they keep renewing me in 6 month chunks.
I'll keep my skills current by grabbing some space on PUB400.com and practice on 7.3 & 7.4.
Very Respectfully,
Michael Mayer
IBM i on Power System Admin.
Tallahassee, Florida 32399-2300
Cell: 518.641.8906
Today's Topics:
1. RE: Security Bulletin: IBM i components are affected by
CVE-2021-4104 (log4j version 1.x) (2022.03.02)
(Steinmetz, Paul via MIDRANGE-L)
message: 1
date: Wed, 2 Mar 2022 19:18:44 +0000
from: "Steinmetz, Paul via MIDRANGE-L" <midrange-l@xxxxxxxxxxxxxxxxxx>
subject: RE: Security Bulletin: IBM i components are affected by
CVE-2021-4104 (log4j version 1.x) (2022.03.02)
Looks like IBM has issued PTFs to disable the heritage Navigator.
V7R3 - SF78120
IBM Navigator for i - heritage version uses log4j v1.x and cannot be updated to log4j v2.x or be removed from use. The issue can be fixed by discontinuing the use of the heritage version of IBM Navigator for i. The fix will disable the ADMIN2 server (where the heritage Navigator runs) from starting and running without user interaction. Additionally, the userdata runtime cache files (where the reference to log4j can be found) are deleted by this fix. The issue can be fixed by applying PTFs to IBM i. Releases 7.4, 7.3, and 7.2 of IBM i will be fixed.
It is strongly recommended that heritage Navigator not be used, however if there are key features required, heritage Navigator can be enabled and started temporarily at your own risk. To do so, refer to these instructions:
https://www.ibm.com/support/pages/heritage-navigator-enable-and-disable-instructions
Note: If heritage Navigator is started, the userdata cache files are re-created and will have to be manually removed. Details are in the above link.
Statement of direction - IBM intends to update this bulletin in the future when a new HTTP Server group PTF level removes IBM Navigator for i heritage version by deleting all associated files from the system for IBM i 7.3 & 7.4 releases.
The IBM i PTF numbers containing the fixes follow. Future Group PTFs for HTTP Server will also contain the fixes for this CVE.
IBM i Release HTTP Server group PTF
IBM i 7.4 SF99662 level 19
IBM i 7.3 SF99722 level 38
IBM i 7.2 SF99713 level 49
Paul
From: IBM My Notifications <mynotify@xxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, March 2, 2022 9:21 AM
To: Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
Subject: Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) (2022.03.02)
________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not click on any links or open attachments unless the sender is known, and the content is verified as safe.
________________________________
________________________________
Please note: Florida has very broad public records laws. Many written communications to or from The Florida Bar regarding Bar business may be considered public records, which must be made available to anyone upon request. Your e-mail communications may therefore be subject to public disclosure.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
midrange.com
