Log4j Hits Heritage Version of Navigator for i – No Patch Coming
January 12, 2022 Alex Woodie
IBM i shops running the old version of the Navigator for i client should be aware that the software is vulnerable to the Log4j security vulnerability, and there will be no patch to fix it, IBM says in a new security bulletin. There will, however, be fixes coming to other vulnerable components, including IWS, IAS, and IBM i Access Client Solutions (ACS), IBM says.
Just before we hit the holiday break, the extremely severe Apache Log4j security vulnerability was disclosed to the world, resulting in a frantic effort to patch servers, desktops, refrigerators – just about anything with a chip that connects to the Internet. Since then, the chaos has widened, and many systems remain unpatched, including, presumably, many IBM i servers.
It’s hard to conceive of a more damaging flaw than the one afflicting Log4j, a little-known Java-based logging utility maintained by a small cadre of open-source developers at the Apache Software Foundation that has found its way into millions of systems. By sending a maliciously crafted query to the Log4j queue, cybercriminals can take complete control of affected system, including the ability to run arbitrary code. Also called “LogJam” and “Log4Shell,” the flaw (cataloged as CVE-2021-44228) scored a perfect 10 out of 10 on the CVSS v3 security flaw severity scale.
All Java-based software should be considered suspect to the flaw until it can be proved that vulnerable versions of Log4j are not present. That includes Java software running on IBM i, IBM system tools, Java applications developed in-house, as well as third-party Java apps.
IBM recently published a security bulletin that lists the IBM i components that are susceptible to the Log4j flaw. The biggest news here revolves around the legacy version of IBM Navigator for i, which IBM is calling the “heritage version” to separate it from the new release of IBM Navigator for i (i.e., “new Nav”) that IBM just unveiled in September with the fall Technology Refreshes for IBM i 7.3 and 7.4.
“IBM Navigator for i – heritage version uses log4j v1.x and cannot be updated to log4j v2.x,” IBM wrote in the security bulletin. “The CVE can be mitigated by not using the heritage version of IBM Navigator for i. . . . Customers can mitigate the CVE by discontinuing the use of the heritage version of IBM Navigator for i.”
In other words, IBM i shops on supported versions of IBM i (7.2 through 7.4) should stop using the old version of IBM Navigator immediately and upgrade to the new version. (IBM didn’t say it, but customers running IBM i 7.1 and older unsupported releases are also impacted by the flaw in the heritage version of Navigator for i and should stop using it, too.)
The damage doesn’t end with the old Nav, unfortunately. The IBM security bulletin identified four additional products – Integrated Web Services Server (IWS) version 2.6; Integrated Application Server (IAS) versions 7.1 and 8.1; Integrated Web Services Server (IWS) versions 1.3 and 1.5; and IBM i ACS version 184.108.40.206 and earlier – as containing unused log4j v1.x jar files, which make them susceptible to the security vulnerability.
The good news is there are patches available for some of these impacted products, such as IWS 2.6 running on IBM i 7.2, 7.3, and 7.4, which has an emergency PTF available for it (but only for 7.3 and 7.4). Also, the Log4j vulnerability in ACS version 220.127.116.11 can be mitigated by upgrading to ACS version 18.104.22.168 or later, IBM says.
However, the situation is more complex with IAS 7.1 and 8.1 and IWS 1.3 and 1.5 running on IBM i 7.2. IBM says these releases cannot be upgraded. Instead, it recommends that customers “mitigate the log4j issues by migrating to the liberty-based support already available for ten years.”
IBM’s ultimate plan is to removes the underlying releases of IAS 7.1 and 8.1, IWS 1.3 and 1.5, and to update the IWS 2.6 implementation. Its target date for that is March. You’re encouraged to read the entire security bulletin at www.ibm.com/support/pages/node/6539162.
If this all seems like a mess, that’s because it is. Because of the way that Java classes and libraries are bundled, determining if the offending Log4j file is present can be a difficult task. Because of this difficulty, Scott Forstie, the Db2 for i business architect, whipped up a handy Log4j-detection service to help identify those hard-to-find Log4j files in the IFS.
The search for Log4j impacts is ongoing. Soon after learning about the flaw on December 11, IBM began a code review to ascertain which of its many products are impacted. The company already issued a patch for WebSphere Application Server version 8.5 and 9.0 running on all of its platforms, including IBM i. Other products, such as the Tomcat Web server, were also considered vulnerable.
IBM has divided its considerable software catalog into two categories: those that are susceptible to the Log4j vulnerability, and those that are not. You can peruse the two lists on its PSIRT Blog, which it has updated dozens of times since the Log4j vulnerability was first disclosed and which was last updated January 10.
IBM published a list of 431 on-premise software products and 81 cloud service that are not impacted by the flaw. This list included dozens of IBM i products, including popular ones like Rational Developer for i (RDi), IBM i Rational Development Studio, IBM i Job Scheduler, the IBM i Cryptographic Device Manager, PCOMM, OmniFind Text Search Server for DB2 for i, PowerHA, PowerSC, VIOS, and the HTTP Server (the one that’s powered by Apache).
It also published a list of 149 on-premises software products and 62 cloud services that are impacted by Log4j and have since been remediated. This list includes the aforementioned WAS product family, as well as popular on-prem products such as Db2, Db2 Web Query for i, IBM Spectrum Protect, SPSS products, IBM QRadar Risk Manager, IBM Cloud Pak, Cloud Pak for data, and the DS8000 hardware management console. Cloud services impacted by Log4j include various Watson services, Cloudant, Container Registry, and Db2 and Db2 Warehouse running on the cloud.
(Interestingly, neither IWS nor IAS appear in IBM’s list of affected and remediated products. ACS also appears in the list of products that are not susceptible to the flaw, even though IBM disclosed the vulnerability in ACS in a security bulletin. This is a fluid situation, and the on-the-ground reality is changing quickly.)
The Log4j vulnerabilities in Db2 do not appear to impact IBM i shops in a significant manner; most of the impacted products run on Linux, according to a quick scan of the source security bulletins of the remediated products. According to the IBM security bulletin, the Log4j vulnerabilities in Db2 are limited to a handful of database services, including the DVM JDBC wrapper driver, the NoSQL wrapper driver for Hadoop, and the blockchain wrapper driver, which only impacts Hyperledger Fabric running on x86-64 Linux-based systems.
IBM i shops running Db2 Web Query for i will want to update their systems as soon as possible. IBM issued patches for this products (an OEM’ed version of the WebFocus product originally developed by Information Builders, which was officially acquired last year by TIBCO) for IBM i 7.1 through 7.4. For more information, see the IBM security bulletin for this product.