Understanding the impact of Apache Log4j on IBM i

You’ve probably already heard about Log4j but did you know that IBM i is also vulnerable? There are several steps that need to be taken to mitigate the Log4j vulnerability.

What is the Log4j vulnerability?

Log4j refers to Apache’s Log4j Java Library (also known as Log4Shell). It is a widely used open-source logging library for Java.

The Log4j vulnerability makes it possible for an unauthenticated attacker to access a system remotely. There are two versions of Log4j, (1) 1.x and (2) 2.x.

What IBM products are affected?

Unfortunately, we have not been able to locate a single source listing of all IBM i products that have been affected by the Log4j 1.x and Log4j 2.x vulnerabilities. After combing multiple sites, working directly with many areas of IBM technical support to understand the breadth of the impact and helping multiple clients mitigate the vulnerability we’ve compiled the list below.

Software products that are affected by Log4j 1.x version:

  • IBM i Access Client Solutions – and earlier
  • IBM Navigator for i (heritage version only) – IBM i 7.4, 7.3, and 7.2
  • Integrated Web Services Server (IWS) – IBM i 7.4, 7.3, and 7.2-V2.6
  • Integrated Application Server (IAS) – IBM i 7.2 – V7.1 and V8.1

Software products that are affected by Log4j 2.x version:

  • DB2 Web Query – V2.2.1 & V2.3.0
  • Power Hardware Management Console (HMC) – V9.2.950.0 & V10.1.1010.0
  • Websphere Application Server – V8.5 & V9.0

Common programs that appear to not be affected by the Log4j vulnerabilities:

  • DB2 Query Mgr & SQL Dev. Kit (5770-ST1)
  • Performance Tools (5770-PT1)
  • Query (5770-QU1)
  • Rational Development Studio (5770-WDS)

What’s not on the list:

It’s important to note that the available patches regarding Log 4j vulnerabilities is limited to currently supported versions of products. Version 8 of HMC and V7R1 for example are not supported (even with Temporary Transitional Support) for new issues like Log4j so there could be vulnerabilities that will not be addressed.

What will happen if vulnerabilities aren’t addressed?

Log4j attacks are occurring at an accelerated rate as bad actor have begun leveraging automated tools to find systems that have not been fixed. If your system is not patched, the Log4J vulnerability could be used to take advantage of how your IBM i security is constructed. For example, Public Authority and IFS rights could easily be compromised.

Bluntly, your data could be at risk.

How to mitigate the vulnerability

Keeping up with system PTF’s and having well laid out layers of security remains the best way to keep your data secure.

  1. Assess where you have the venerability’s what systems need to be remediated.
  2. Obtain fixes for currently supported products
  3. Apply recommended fixes and preform recommended mitigation procedures
  4. Test and verify
  5. Address how to mitigate unsupported products

Written by:

Duane Gingerich, Senior Power Systems Engineer
Gary Evans, Senior Power Systems Engineer

Like our content? Keep us in your feed


Think you're IBM i isn't affected by Log4j? Think again. Find out what's affected and why it matters from our IBM experts.