No Plan To Support New Nav on Older IBM i Releases, IBM Says
January 19, 2022 Alex Woodie
IBM has no plans to support the new version of Navigator for i (i.e., “New Nav”) with older releases of the operating system, despite the existence of the severe Log4j security flaw in the heritage version of Navigator (“Old Nav”). The early, unexpected death of Old Nav also will hasten the adoption of New Nav for customers on current releases, and New Nav will become the default version with an update in March, IBM says.
Earlier this month, IBM announced that no security patches would be forthcoming for Old Nav, which uses the Log4j code at the heart of a severe zero-day security exploit that allows cybercriminals to take full control of impacted products. IBM recommended that users stop using Old Nav and immediately start using New Nav, which it unveiled in September with the latest Technology Refresh (TR) for IBM i 7.3 and 7.4.
The catch is that New Nav is only available for IBM i 7.3 and 7.4. When IBM launched New Nav, it was not made available for older releases of IBM i, including version 7.1 and 7.2, which are on extended support. The emergence of the Log4j flaw in December does not change that decision, IBM i Product Manager Alison Butterill says.
“IBM i 7.2 and 7.1, which are both out in the market today, are on extended support already,” Butterill says. “And following our standard extended support policy, we don’t roll new function back.”
Butterill says that IBM’s hands are tied. Even if IBM wanted to patch Old Nav, it couldn’t because the open source code that it was originally built with is no longer available, Butterill says.
“Part of the reason we brought out a brand new version . . . is because the old one is in fact really old!” she tells IT Jungle. “There’s parts of that that includes that open source code that we frankly can’t update anymore. We don’t have that code. It came in from open source. And so when we made the decision to bring out New Navigator, we knew we weren’t going be able to pick up the old one.”
Users on IBM i 7.1 and 7.2 aren’t losing any functionality by abandoning Old Nav, because for most of the functions, users can get by with using the green screen equivalents, Butterill says. “Really it was a consolidator, a launcher if you will of other functions,” she says of Old Nav. “There’s a few things that that’s not true, but you could execute a lot of those functions directly from a green screen command line.”
While a severe security flaw exists in Old Nav, people can still use it if they’re aware of the risks, Butterill says. “It is there. You can continue to use it, understanding the exposure that you have,” she says. “But many customers have made the decision they’re going turn it off basically, and they’re going to run everything from a green screen command line, which you can certainly do.”
Even if a user managed to get New Nav running IBM i 7.1 or 7.2, it wouldn’t work as advertised, because there are other components of the IBM i platform missing in those older releases, Butterill says. “While technically the New Navigator will run there [7.2], it’s not connected to those older versions of the other products, so it doesn’t launch anything,” she says.
IBM i 7.1 and 7.2 are under long term support, which brings “usage and known defect support.” While IBM will occasionally patch security flaws in IBM i 7.1 and 7.2 — such as it did for an OpenSSL flaw in September — users of these older OSes will not get a fix for the Log4j problem in Old Nav because the “fix” would be to replace Old Nav with New Nav, and that is considered new functionality.
“Starting on April the 30th, with rare exception . . . there are no additional defects that we will be fixing,” Butterill says. “So when I say a rare exception, if we identify the defect in 7.3, for example, and it’s able to be rolled back into 7.2, depending on the impact level of that, we may or may not. But it is not our intention to do that. That’s why it’s on extended support.”
While Old Nav is still the default version that launches with the latest release of Access Client Solutions for i (ACS) version 22.214.171.124, which shipped in December, New Nav will become the default following PTFs that are scheduled to ship in March, Butterill says.
However, as a new product, New Nav doesn’t currently support all of the functionality in Old Nav. IBM i users have stated that features like the Advanced Job Scheduler, PowerHA, BRMS, and AFP form functions that were available in Old Nav are not yet available in New Nav. IBM is aware of the differences and is working on it, Butterill says.
“There are still some features that are not in the New Navigator product yet,” she says “It’s obviously going take some trying to roll all those features into the New Navigator. And in some cases, it may not be a direct one to one replace. In some cases, they may opt to use different vehicles for delivering a similar function. We’re not necessarily going to do a one for one replace on every feature, but you will see all of the capabilities move forward.”
The IBM i management team in Rochester is considering what it can do to encourage a more rapid adoption of New Nav. Butterill says the group is looking at ways it can increase market awareness of New Nav through promotional activities and outreach. It’s not clear yet whether IBM will prioritize the closing the functionality gap with Old Nav as part of that effort to accelerate New Nav adoption, she says.
“Log4j has kind of forced our hand in doing some things. We’re still trying to sort through this,” she says. “At the moment, we have a lot of things we’re working on for our regular delivery schedule. . . . What we’re going to roll in there and re-prioritize — that all being considered right now as we look through the portfolio and figure out what needs to happen.”
The best mitigation for the Log4j vulnerability in Old Nav is to upgrade to New Nav with IBM i 7.3 and 7.4. For customers running older releases of IBM i, an upgrade to a current version of the operating system is the best defense, Butterill says.
“If we continue to put new function into old releases on a regular basis, then why would anybody ever upgrade?” Butterill says. “And the problem with that is, we run into problems like Log4j for example, that weren’t known when we brought out 7.2 in 2014, and now all of a sudden it’s there. It behooves our clients to continue to upgrade and stay current for exactly these reasons, because we address these in the most current releases.”