NOTE: I am reading and trying to offer information from what I have seen so far. Everyone will have to conduct their own research and make assessments based on findings.
This executes a find utility in QSH
NOTE: this should be on many if not all systems – so far I have tested OS 7.1-7.4 with success (UPDATE: I tested this with v5r4 and it worked as well)
SBMJOB
- Submits the job,JOB(LOG4JSCAN)
names the job, andJOBQ(QCTL)
submits it to the controlling subsystem (I have been submitting it here to make sure nothing ends it but you could submit it to another JOBQ)find /
- we are searching the root path with find-path /QSYS.LIB -prune -o
- I am excluding /QSYS.LIB (since it cannot contain .jar files)-type f
- looking for items of the type files-name "*[lL][oO][gG]4[jJ]*"
- The name of the file and making sure it’s case insensitive> /log4j_results.txt
- And we are piping the results of the find command to-o
= means or
NOTE: RUN THIS AS A USER WITH *ALLOBJ
AUTHORITY
Omit just QSYS.LIB
SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -type f -name "*[lL][oO][gG]4[jJ]*" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)
or Omit QSYS.LIB and QNTC
SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*[lL][oO][gG]4[jJ]*" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)
Variations of the Find command excluding multiple directories
find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*[lL][oO][gG]4[jJ]*.jar" > /log4j_results.txt
find / -type d \( -name /QSYS.LIB -o -name /QNTC \) -prune -o -type f -name "*[lL][oO][gG]4[jJ]*.jar" > /log4j_results.txt
Variations of case insensitive file name
- without the 4:
-type f -name "*[lL][oO][gG]*[jJ]*"
- without the 4 and with the .jar extension
-type f -name "*[lL][oO][gG]*[jJ]*.jar"
- with the 4 and the .jar extension
-type f -name "*[lL][oO][gG]4[jJ]*.jar"
WRKACTJOB SBS(QCTL) INTERVAL(5)
- F19 to auto refresh
Reading the results file after the scan it would look something like this:
- Run:
WRKLNK '/log*'
and select option 5 to view
NOTE: IF THE RESULTS DON'T SHOW /log4j_results.txt
THEN CHECK THAT THE COMMAND WAS SUBMITTED WITHOUT ALTERING THE STRING!!
If you copy and paste make sure it doesn't insert special characters (see below)
QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*YlL?YoO?YgG?4YjJ?*" > /log4j_results.txt')
This is not going to return the results you want...
/QSYS.LIB
/QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.ant_1.6.5/lib/ant-apache-log4j.jar
/QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.jakarta_log4j_1.2.8.v200607172048/lib/log4j-1.2.8.jar
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/classes/log4j.properties
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/lib/log4j-1.2.14.jar
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/classes/log4j.properties
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-1.2.15.jar
/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-LICENSE.txt
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/log4j-1.2.14.jar
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/log4j-1.2.14.jar
/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
/QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar
/QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar:Zone.Identifier:$DATA
/log4j_results.txt // <--- You should see this in the results or it didn't run correctly
These are the possible mitigations for this flaw for releases version 1.x:
- Comment out or remove JMSAppender in the Log4j configuration if it is used
- Remove the JMSAppender class from the classpath. For example: zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.
- General Information
- Apache Log4j Security Vulnerabilities
- JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
- Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0
- JMS.Appender Example
- Jesse Gorzinski, IBM’s business architect for open source for IBM i and its point man for Java, told IBM i shops to focus on their own Java-based applications and their dependencies– “especially anything that external entities can feed data to.” IBM is a big Java shop, and uses the programming language throughout its products. IBM WebSphere and the Tomcat Web server are both Java-based, and are vulnerable to LogJam attacks. More here
- Log4Shell Part 1: Answering FAQs on the Log4Shell Security Vulnerability
- Scott Forstie’s SQL Query to find Log4j instances in IFS
- IBM put out this article to help remediate things and they provide a list of applications not impacted.
- Vulnerability in Apache Log4j affects WebSphere Application Server
- Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
- As Apache releases new patch, researchers discover new Log4j attack vector
- 12/21/21 -- Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for i