Log4j Security Kit Detected in OmniFind Text Search Server
March 14, 2022
Timothy Pricket Morgan
Who would have thought that a logging utility written in Java and available for more than two decades could cause so many problems? But that’s the nature of the Log4j security vulnerability, which has been installed in all sorts of system software and had a Log4Shell vulnerability that was discovered by Chinese IT giant Alibaba on November 24 last year and has was revealed to the world on December 9. as a zero-day vulnerability.
Several areas of the IBM i software stack use the Log4j logging utility, which is one of many Apache open source software projects around the world. We watched in the stories of The Four Hundred, as well as in the IBM i PTF Guide which is put together by Doug Bidwell every week. Bidwell has informed us that there is a security bulletin update, CVE-2021-4104which you can see here for IBM i 7.4which explains that the OmniFind text search server for the relational database Db2 for i.
The OmniFind text search server was first released with i5/OS V6R1 in 2008, and we first covered it here. As its name suggests, OmniFind is a search engine capable of browsing and indexing textual data stored in just about any format. relational databases running on i5/OS and IBM i platforms and System z mainframes running z/OS. OmniFind Search for Db2 can analyze documents stored in the relational database, and just about anything you can imagine, including Excel spreadsheets, XML, HTML and PDF files and PowerPoint presentations, is also searchable. It’s unclear how ubiquitous the OmniFind tool is, but it’s likely that it’s used frequently enough that IBM issues patches to it that disable the Log4j logging feature.
IBM is fixing three versions of the OmniFind Text Search Server for Db2 for i, including V1R3M0, V1R4M0, and V1R5M0, which correspond to IBM i versions 7.2, 7.3, and 7.4. Fixes for each version are described in detail here:
OmniFind uses Log4j to generate diagnostic logs and traces in some of its components, and these patches address the issue by removing the Apache Log4j software entirely. It is unclear which logging function replaced it, if any.
Just a reminder that Bidwell has created an additional spreadsheet in addition to the IBM i PTF Guide which contains the latest information on what to worry about and what to do about this vulnerability. You can download the Log4j spreadsheet on this link.
IBM accelerates development of new navigation system following Log4j issue
Some great tips on Log4j Mitigation Gotchas
No plans to support new navigation on older versions of IBM i, says IBM
Log4j Reaches Legacy Version of Navigator for i – No Patch Coming Soon
Critical Log4j Vulnerability Hits Everything, Including IBM i Server
IBM i PTF Guide, Volume 24, Issue 2
IBM i PTF Guide, Volume 24, Issue 1
IBM i salaries: underpaid, but highly valued and hard to replace
IBM brings native OpenShift clustering to Power Iron