The Apache Log4j Vulnerability

You might have heard the terms “the Apache Log4j” or “the Log4Shell Vulnerability” a lot in the past few weeks. The flaw has the potential to affect millions of systems and their users through a relatively obscure piece of software called Log4j. 

Log4j records events such as error reports and relays diagnostic messages between systems, their administrators, and the end user. For example, when you try to log into a website that isn’t working correctly you get a 404 message. Log4j will record this failed attempt to load the website for the site’s server hosting the website. The use of Log4j isn’t however just limited to records and messages on websites, it can be found in a wide range of systems and applications in the digital world.

The vulnerability has occurred due to the fact that Log4j allows users to specify custom coding for formatting a log message. Unfortunately, this formatted code can be customised for much more than just formatting log messages, it could be used to steal sensitive information, take control of systems or slip malicious content onto a device.

 A major concern is that Log4j is used widely across the digital world, meaning millions could be affected. The systems predicted to be at risk including IBM Information Server and its Components. IBM therefore recommends that you address the issue without delay using the steps described in the Tech Bulletin below.

IBM has created an Information Server Tech bulletin that contains details of the problem and steps to mitigate the vulnerability, which can be found here.

One of the steps requires a JVM option to be added to WebSphere, here is a link that shows you where to find the place to do this. NOTE you will need to apply the option in the Tech Bulletin not on the video.

We hope that this information is of value to ‘Information Server Users’ and if you need any professional consultancy services to help you resolve this element then please get in touch

Share this post