• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Log4j Security Hole Found In OmniFind Text Search Server

    March 14, 2022 Timothy Prickett Morgan

    Who would have thought that a logging utility written in Java and available for more than two decades could cause so much trouble? But that is the nature of the Log4j security vulnerability, which has been installed in all kinds of systems software and which had a Log4Shell vulnerability that was discovered by Chinese computing giant Alibaba on November 24 last year and that was revealed to the world on December 9 as a zero-day vulnerability.

    There are several areas of the IBM i software stack that use the Log4j logging utility, which is one of the many Apache open source software projects in the world. We have been monitoring in stories in The Four Hundred, as well as well as in the IBM i PTF Guide that is put together by Doug Bidwell every week. Bidwell tipped us off that there is an update to the Security Bulletin, CVE-2021-4104, which you can see here for IBM i 7.4, that explains that the OmniFind Text Search Server for the Db2 for i relational database.

    The OmniFind Text Search Server first came out way back with i5/OS V6R1 back in 2008, and we first reported on it here. As the name suggests, OmniFind is a search engine that can chew through and index text data stored in just about any format and was IBM’s way of providing a search engine that could span the Internet as well as various kinds of datasets and datastores, including Db2 relational databases running on i5/OS and IBM i platforms and System z mainframes running z/OS. The OmniFind search for Db2 can scan documents stored within the relational database, and just about anything you can think of including Excel spreadsheets, XML, HTML, and PDF files and PowerPoint presentations, are all searchable as well. It is unclear how pervasive the OmniFind tool is, but presumably it is used frequently enough for IBM to put out patches to it that disable the Log4j logging function.

    IBM is patching three releases of the OmniFind Text Search Server for Db2 for i, including V1R3M0, V1R4M0, and V1R5M0, which correspond to the IBM i releases 7.2, 7.3, and 7.4. The patches for each release are described in full here:

    OmniFind V1R5M0:

    • SI78753
    • SI78754
    • SI78755

    OmniFind V1R4M0

    • SI78756
    • SI78757
    • SI78758

    OmniFind V1R3M0

    • SI78751
    • SI78759
    • SI78760
    • SI78761

    OmniFind uses Log4j for generating logs and diagnostic traces in some of its components, and these patches address the issue by removing the Apache Log4j software entirely. It is not clear what logging function has replaced it, if any.

    Just a reminder that Bidwell has created a supplemental spreadsheet as a companion to the IBM i PTF Guide that has the latest information on what you need to worry about and do about it when it comes to this vulnerability. You can download the Log4j spreadsheet at this link.

    RELATED STORIES

    IBM Accelerates New Nav Development Following Log4j Issue

    Some Good Advice About Log4j Mitigation Gotchas

    No Plan To Support New Nav on Older IBM i Releases, IBM Says

    Log4j Hits Heritage Version of Navigator for i – No Patch Coming

    Critical Log4j Vulnerability Hits Everything, Including the IBM i Server

    IBM i PTF Guide, Volume 24, Number 2

    IBM i PTF Guide, Volume 24, Number 1

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: DB2 for i, HTML, IBM i, IBM i PTF Guide, Log4j, Log4Shell, OmniFind, OmniFind Text Search Server for the Db2 for i, V1R3M0, V1R4M0, V1R5M0, XML

    Sponsored by
    Manta Technologies

    The Leader in IBM i Education!
    Need training on anything i?
    Manta is all you need.

    130 courses and competency exams on:
    · IBM i operations
    · System Management and Security
    · IBM i Programming Tools
    · Programming in RPG, COBOL, CL, Java
    · Web Development

    SQL, DB2, QueryProduct features:
    · Runs in every popular browser
    · Available 24/7/365
    · Free Student Reference Guides
    · Free Student Administration
    · Concurrent User License
    · Built-In IBM i Simulator

    You can download our 200-page catalog and take sample sessions at MantaTech.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    IBM i Salaries: Underpaid, Yet Highly Valued And Hard To Replace IBM Brings OpenShift Cluster Management Native On Power Iron

    Leave a Reply Cancel reply

TFH Volume: 32 Issue: 16

This Issue Sponsored By

  • TL Ashford
  • Fresche Solutions
  • Racksquared
  • WorksRight Software
  • Raz-Lee Security

Table of Contents

  • Fresche Takes On IBM i Security With Trinity Guard Acquisition
  • Thoroughly Modern: IBM i Security Is No Longer Set It And Forget It
  • Prepping For Supply Chain Crunches with Manhattan Associates
  • IBM Brings OpenShift Cluster Management Native On Power Iron
  • Log4j Security Hole Found In OmniFind Text Search Server

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26
  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle