Chris Polston | Director, JDE Support Services
As part of our Seven-Point Security Solution, our global security team proactively monitors for critical vulnerabilities and exposures (CVEs). When we have threat intelligence, we publish periodic or immediate email bulletins to keep our clients up to date. These include CVE descriptions and offer best practice recommendations.
On December 10, “Log4Shell” (aka “LogJam”) was disclosed by security researchers with CERT New Zealand and logged into the National Vulnerability Database as CVE-2021-44228. This vulnerability in the Java logging framework Log4j is described as a zero-day (easily exploitable) arbitrary code execution (you can run any commands), with a rare score of 10 out of 10 on the CVSS v3 rating scale.
Why the highest rating? Because it’s a severe threat where attackers don’t need to be authenticated to exploit it. Think of it as an early holiday present for cybercriminals.
Why Should JD Edwards Customer Care?
The Log4j flaw potentially affects everyone, including JD Edwards (JDE) customers. It takes advantage of a flaw in a feature that is used by many webservers running on many platforms, the Power i/AS400 included.
The products and versions affected by Log4j are WebSphere Application Server 8.5 and 9.0. IBM is reviewing its software to determine if there is any impact.
How Can You Learn More?
Since the CVE announcement, software publishers and cybersecurity experts have published a good amount of helpful information. Here are two sites that we recommend for JDE customers:
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-application-server-cve-2021-44228/
- https://www.itjungle.com/2021/12/15/critical-log4j-vulnerability-hits-everything-including-the-ibm-i-server/
Vendors around the world are actively working to build, test, and distribute patches. At this time, there are no specific product temporary fixes (PTFs) required. WebSphere (WAS) now (21 December) has patches available.
Your Next Steps & How We Can Help
If your Power i/AS400 machine is current on PTFs, you are protected from this vulnerability. If it has been a while since the PTFs have been updated, we strongly recommend you bring the machine up to date. We also recommend monitoring IBMs Product Security Incident Response (PSIRT).
If you would like help checking your system or want to discuss the advantages of Defense-in-Depth with our security and IBM experts, please do not hesitate to contact us.
If you are not a JD Edwards customer but are still concerned about this Log4j flaw, we can still assist you. We have developed instructions and advisory notes to assist with dealing with this vulnerability. We’d be glad to discuss your concerns and situation, so please reach out.