Log4j Security Kit Detected in OmniFind Text Search Server

March 14, 2022

Timothy Pricket Morgan

Who would have thought that a logging utility written in Java and available for more than two decades could cause so many problems? But that’s the nature of the Log4j security vulnerability, which has been installed in all sorts of system software and had a Log4Shell vulnerability that was discovered by Chinese IT giant Alibaba on November 24 last year and has was revealed to the world on December 9. as a zero-day vulnerability.

Several areas of the IBM i software stack use the Log4j logging utility, which is one of many Apache open source software projects around the world. We watched in the stories of The Four Hundred, as well as in the IBM i PTF Guide which is put together by Doug Bidwell every week. Bidwell has informed us that there is a security bulletin update, CVE-2021-4104which you can see here for IBM i 7.4which explains that the OmniFind text search server for the relational database Db2 for i.

The OmniFind text search server was first released with i5/OS V6R1 in 2008, and we first covered it here. As its name suggests, OmniFind is a search engine capable of browsing and indexing textual data stored in just about any format. relational databases running on i5/OS and IBM i platforms and System z mainframes running z/OS. OmniFind Search for Db2 can analyze documents stored in the relational database, and just about anything you can imagine, including Excel spreadsheets, XML, HTML and PDF files and PowerPoint presentations, is also searchable. It’s unclear how ubiquitous the OmniFind tool is, but it’s likely that it’s used frequently enough that IBM issues patches to it that disable the Log4j logging feature.

IBM is fixing three versions of the OmniFind Text Search Server for Db2 for i, including V1R3M0, V1R4M0, and V1R5M0, which correspond to IBM i versions 7.2, 7.3, and 7.4. Fixes for each version are described in detail here:

OmniFind V1R5M0:

OmniFind V1R4M0

OmniFind V1R3M0

  • SI78751
  • SI78759
  • SI78760
  • SI78761

OmniFind uses Log4j to generate diagnostic logs and traces in some of its components, and these patches address the issue by removing the Apache Log4j software entirely. It is unclear which logging function replaced it, if any.

Just a reminder that Bidwell has created an additional spreadsheet in addition to the IBM i PTF Guide which contains the latest information on what to worry about and what to do about this vulnerability. You can download the Log4j spreadsheet on this link.

RELATED STORIES

IBM accelerates development of new navigation system following Log4j issue

Some great tips on Log4j Mitigation Gotchas

No plans to support new navigation on older versions of IBM i, says IBM

Log4j Reaches Legacy Version of Navigator for i – No Patch Coming Soon

Critical Log4j Vulnerability Hits Everything, Including IBM i Server

IBM i PTF Guide, Volume 24, Issue 2

IBM i PTF Guide, Volume 24, Issue 1

Tags: Tags: DB2 for i, HTML, IBM i, IBM i PTF Guide, Log4j, Log4Shell, OmniFind, OmniFind Text Search Server for Db2 for i, V1R3M0, V1R4M0, V1R5M0, XML

IBM i salaries: underpaid, but highly valued and hard to replace
IBM brings native OpenShift clustering to Power Iron

Comments are closed.