Does IBM MQ affected with Log4j vulnerability ?

log4j vulnerability is also called Log4Shell or LogJam. Here we will is the impact of this with IBM MQ distributed environment .

Based on the IBM investigation out all the IBM MQ components none of the component is using Apache Log4j except Blockchain Bridge .

Blockchain Bridge is only available with Advance license .if you don’t have it then you may not have installed the components and it is only available for Linux OS .it is packaged as RPM .

No Log4j libraries are shipped with Internet Pass-Thru (MQIPT). 

A Remote Code Execution issue was identified within the Log4j library that is used by Fabric Gateway to provide logging functionality. Fabric Gateway is used by the IBM MQ blockchain bridge component of IBM MQ 9.1.4 and later to provide connection capability between IBM MQ queue managers and Hyperledger Fabric.

The IBM MQ Blockchain Bridge is shipped as part of IBM MQ Advanced on Linux x86-64 only, under the MQSeriesBCBridge RPM package. Based on current knowledge and analysis, no other IBM MQ components or installable packages are affected. This bulletin provides patch information to address the reported Log4j vulnerability (CVE-2021-44228).

The IBM MQ Blockchain Bridge is shipped as part of IBM MQ Advanced on Linux x86-64 only, under the MQSeriesBCBridge RPM package. Based on current knowledge and analysis, no other IBM MQ components or installable packages are affected. 

Affected IBM MQ versions are 9.2 LTS, 9.1 CD and 9.2 CD

A new patch has been delivered that contains fixes for both CVE-2021-44228 & CVE-2021-45046

IBM had released APAR IT39386 to fix the above vulnerabilities

To see all IBM Security Bulletins for this specific CVE
https://www.ibm.com/blogs/psirt/?s=2021-44228

To see all IBM Security Bulletins for MQ regardless of CVE
https://www.ibm.com/blogs/psirt/?s=MQ

Related Posts

Leave a Reply

Your email address will not be published.