Skip to content

Instantly share code, notes, and snippets.

@thebeardedgeek
Last active April 14, 2022 07:06
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save thebeardedgeek/284e627d2d67ecb917fda48ac7056aaf to your computer and use it in GitHub Desktop.
NOTE: I am reading and trying to offer information from what I have seen so far. Everyone will have to conduct their own research and make assessments based on findings.
A way to scan the IFS on an IBM i from QSH
This executes a find utility in QSH
NOTE: this should be on many if not all systems – so far I have tested OS 7.1-7.4 with success *UPDATE I tested this with v5r4 and it worked as well
• SBMJOB = Submits the job, JOB(LOG4JSCAN) names the job, and JOBQ(QCTL) submits it to the controlling subsystem (I have been submitting it here to make sure nothing ends it but you could submit it to another JOBQ)
• Find / = we are searching the root path with find
• -path /QSYS.LIB -prune -o = I am excluding /QSYS.LIB (since it cannot contain .jar files)
• -type f = looking for items of the type files
• -name "*[lL][oO][gG]4[jJ]*" = The name of the file and making sure it’s case insensitive
• > /log4j_results.txt = And we are piping the results of the find command to
• -o = means or
NOTE: RUN THIS AS A USER WITH *ALLOBJ AUTHORITY
********************
MAIN COMMAND TO RUN
********************
Omit just QSYS.LIB
SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -type f -name "*[lL][oO][gG]4[jJ]*" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)
or Omit QSYS.LIB and QNTC
SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*[lL][oO][gG]4[jJ]*" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)
**********************
VARIATIONS TO COMMAND
**********************
Variations of the Find command excluding multiple directories
find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*[lL][oO][gG]4[jJ]*.jar" > /log4j_results.txt
find / -type d \( -name /QSYS.LIB -o -name /QNTC \) -prune -o -type f -name "*[lL][oO][gG]4[jJ]*.jar" > /log4j_results.txt
Variations of case insensitive file name
• without the 4
-type f -name "*[lL][oO][gG]*[jJ]*"
• without the 4 and with the .jar extension
-type f -name "*[lL][oO][gG]*[jJ]*.jar"
• with the 4 and the .jar extension
-type f -name "*[lL][oO][gG]4[jJ]*.jar"
**************
WATCH THE JOB
**************
WRKACTJOB SBS(QCTL) INTERVAL(5)
F19 to auto refresh
********
RESULTS
********
Reading the results file after the scan it would look something like this:
Run: WRKLNK '/log*' and select option 5 to view
NOTE: IF THE RESULTS DON'T SHOW /log4j_results.txt THEN CHECK THAT THE COMMAND WAS SUBMITTED WITHOUT ALTERING THE STRING!!
If you copy and paste make sure it doesn't insert special characters (see below)
QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*YlL?YoO?YgG?4YjJ?*" > /log4j_results.txt')
This is not going to return the results you want...
************Beginning of data**************
/QSYS.LIB
/QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.ant_1.6.5/lib/ant-apache-log4j.jar
/QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.jakarta_log4j_1.2.8.v200607172048/lib/log4j-1.2.8.jar
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/classes/log4j.properties
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/lib/log4j-1.2.14.jar
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/classes/log4j.properties
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-1.2.15.jar
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-LICENSE.txt
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/log4j-1.2.14.jar
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/log4j-1.2.14.jar
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
/QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar
/QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar:Zone.Identifier:$DATA
/log4j_results.txt <--- You should see this in the results or it didn't run correctly
************End of Data********************
****************************************************
12/24/21 -- Nested .jar Searcher by Jesse Gorzinski
****************************************************
https://github.com/ThePrez/NestedJarSearcher/releases/tag/v0.1.0
**Example** (replace /home/myapp with the directory of interest)
cd /home/myapp
find . -name \*.war -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
find . -name \*.ear -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
find . -name \*.jar -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
find . -name \*.zip -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
***********************
Helpful Links and Info
***********************
General Information
https://github.com/snyk-labs/awesome-log4shell?cta=html-button-click&loc=page-body&page=log4j-vulnerability-resources
Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.html
Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0
https://stackoverflow.com/questions/70332054/log4j-1-how-to-mitigate-the-vulnerability-in-log4j-without-updating-version-to
These are the possible mitigations for this flaw for releases version 1.x:
• Comment out or remove JMSAppender in the Log4j configuration if it is used
• Remove the JMSAppender class from the classpath. For example: zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
• Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.
https://www.itjungle.com/2021/12/15/critical-log4j-vulnerability-hits-everything-including-the-ibm-i-server/
Jesse Gorzinski, IBM’s business architect for open source for IBM i and its point man for Java, told IBM i shops to focus on their own Java-based applications and their dependencies– “especially anything that external entities can feed data to.”
IBM is a big Java shop, and uses the programming language throughout its products. IBM WebSphere and the Tomcat Web server are both Java-based, and are vulnerable to LogJam attacks.
Log4Shell Part 1: Answering FAQs on the Log4Shell Security Vulnerability
https://techchannel.com/Trends/12/2021/log4shell-part-1
Scott Forstie’s SQL Query to find Log4j instances in IFS
https://gist.github.com/forstie/9662d4c302f5224c66b7a4c409141a2c
IBM put out this article to help remediate things and they provide a list of applications not impacted.
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products
Vulnerability in Apache Log4j affects WebSphere Application Server
https://www.ibm.com/support/pages/node/6525706
Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
https://www.ibm.com/support/pages/node/6526172
As Apache releases new patch, researchers discover new Log4j attack vector
https://siliconangle.com/2021/12/19/apache-releases-new-patch-researchers-discover-new-log4j-attack-vector/
12/21/21 -- Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for i
https://www.ibm.com/support/pages/node/6529238
12/24/21
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
https://www.opencve.io/cve/CVE-2021-4104
**Example of how to search for jms in log4j results (replace /QOpenSys/opt with the directory of interest)
find /QOpenSys/opt -type f -name "*[lL][oO][gG]4[jJ]*" |xargs grep -i "[jJ][mM][sS]"
JMS.Appender Example:
https://stackoverflow.com/questions/11828232/log4j-jms-appender-example
12/27/21 -- Security Bulletin: BIND for IBM i is affected by CVE-2021-25219
https://www.ibm.com/support/pages/node/6536716?myns=ibmi&mynp=OCSWG60&mync=R&cm_sp=ibmi-_-OCSWG60-_-R
12/30/31
Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876)
https://www.ibm.com/support/pages/security-bulletin-ibm-navigator-i-affected-security-vulnerability-cve-2021-38876
CISA released a log4j scanner
https://github.com/cisagov/log4j-scanner
************************************************************************
1/3/22 -- A compiled list of the vulnerabilities I could find for IBM i
************************************************************************
IBM HTTP Server (powered by Apache) for I
Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i
https://www.ibm.com/support/pages/node/6520016?myns=ibmi&mynp=OCSWG60&mync=F&cm_sp=ibmi-_-OCSWG60-_-F
IBM Navigator for i (Heritage version)
Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-affected-by-security-vulnerability-cve-2021-38876/
Fix: https://www.ibm.com/support/pages/node/6537250
IBM i DNS Server implementation uses ISC BIND
Security Bulletin: BIND for IBM i is affected by CVE-2021-25219
https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2021-25219/
Fix: https://www.ibm.com/support/pages/node/6536716
IBM DB2 Web Query
Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-ibm-db2-web-query-for-i-cve-2021-45105/
Fix: https://www.ibm.com/support/pages/node/6537454
-- Original Bulletin:
Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for I
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-ibm-db2-web-query-for-i/
IBM WebSphere
Security Bulletin: IBM WebSphere Service Registry and Repository is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-service-registry-and-repository-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
Fix: https://www.ibm.com/support/pages/node/6525706
Power HMC
Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-44228-affects-power-hmc-2/
Fix: https://www.ibm.com/support/pages/node/6526172
Rational Developer (RDi)
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for I
https://www.ibm.com/support/pages/node/6525674
Fix: https://www.ibm.com/support/pages/node/6512830
1/3/22
Take the results from the QSH Log4j scan text file and scan for JMS (run from QSH)
xargs grep -i "[jJ][mM][sS]" < /log4j_results.txt > /log4j_jms_results.txt
***Explanation of above command
xargs = utility will execute a specified command (utility) with parameters from stdin
grep -i = print lines matching a pattern. Ignore case distinctions in both the PATTERN and the input files
"[jJ][mM][sS]" = the string to scan for
< /log4j_results.txt = the file and location of where to read from. This reads the .txt in the root directory
> /log4j_jms_results.txt = outputs the results to a different .txt file
1/10/22
Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x)
https://www.ibm.com/support/pages/node/6539162
Affected Products:
IBM Navigator for i (heritage version only)
Integrated Web Server (IWS)
Integrated Application Server (IAS)
IBM i Access Client Solutions
1/13/22
IBM i Extended Dynamic Remote SQL server (EDRSQL)
Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056
Fix: https://www.ibm.com/support/pages/node/6540294
1/22/22
IBM Db2 Web Query for i update
Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)
https://www.ibm.com/support/pages/node/6550822?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
3/9/22
OmniFind Text Search Server for DB2 for i
Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104)
https://www.ibm.com/support/pages/node/6562237?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
Fix: Apply PTFs
3/30/22
IBM Db2 Web Query for i - new vulnerability
Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493)
https://www.ibm.com/support/pages/node/6567195?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
Fix: Update IBM Db2 Web Query for i
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment