Maximo Open Forum

Hello,

I am sure you all are aware of the new Log4j vulnerability that has been found in Log4j versions 2.0 to 2.15. 

There has been many updates and articles on more recent versions of Maximo from IBM, but we are using an older version, 7.1.1.7 with WebSphere 6.1.0.43. I have looked online if actions are required for older versions of Maximo, but I could not find anything for our version. I believe our Maximo version uses Log4j version 1.x.

In addition, we have Maximo set up only for intranet usage, and it is not accessible to the public. 

Do we have to be worried about the Log4j vulnerability? 
If so, do you have any recommendations for our version?

Any info would be appreciated.

Thanks.
#Security

------------------------------
Kevin Jo
USSUPI
------------------------------

From a Maximo perspective, you are correct that Maximo would utilize a log4j version not impacted by the most recently announced vulnerability. While customers on newer versions also needed to update WebSphere (as WebSphere 8.5.5/WebSphere 9.0.X had a log4j version that was impacted), your version of WebSphere wouldn't have a log4j version of 2.0 or higher. Log4j 2.0 didn't become generally available until 2014 and WebSphere 6.1 had already reached end of support by then. 

Log4j is getting a lot of publicity because it is a big security vulnerability in a library that exists in almost all java applications. But there have been many other security vulnerabilities that have been addressed in Maximo, WebSphere, the underlying Java SDK, database servers, etc. And some of these are pretty significant issues. So while you're not impacted by the log4j vulnerability, even in an intranet only scenario, I would be concerned long term from operating a version that far behind and out of support.

------------------------------
Steven Shull
IBM
------------------------------

Original Message:
Sent: 12-20-2021 17:27
From: Kevin Jo
Subject: Apache Log4j CVE-2021-44228 vulnerability Question

Hello,

I am sure you all are aware of the new Log4j vulnerability that has been found in Log4j versions 2.0 to 2.15. 

There has been many updates and articles on more recent versions of Maximo from IBM, but we are using an older version, 7.1.1.7 with WebSphere 6.1.0.43. I have looked online if actions are required for older versions of Maximo, but I could not find anything for our version. I believe our Maximo version uses Log4j version 1.x.

In addition, we have Maximo set up only for intranet usage, and it is not accessible to the public. 

Do we have to be worried about the Log4j vulnerability? 
If so, do you have any recommendations for our version?

Any info would be appreciated.

Thanks.
#Security

------------------------------
Kevin Jo
USSUPI
------------------------------

Thank you very much Steven. 

As you mentioned, there has been a lot of publicity of the big security vulnerability, so this easies our minds. We are aware that running on an older version leaves us out of support. We have been trying to upgrade as soon as possible.

Kevin

------------------------------
Kevin Jo
USSUPI
------------------------------

Original Message:
Sent: 12-21-2021 11:08
From: Steven Shull
Subject: Apache Log4j CVE-2021-44228 vulnerability Question

From a Maximo perspective, you are correct that Maximo would utilize a log4j version not impacted by the most recently announced vulnerability. While customers on newer versions also needed to update WebSphere (as WebSphere 8.5.5/WebSphere 9.0.X had a log4j version that was impacted), your version of WebSphere wouldn't have a log4j version of 2.0 or higher. Log4j 2.0 didn't become generally available until 2014 and WebSphere 6.1 had already reached end of support by then. 

Log4j is getting a lot of publicity because it is a big security vulnerability in a library that exists in almost all java applications. But there have been many other security vulnerabilities that have been addressed in Maximo, WebSphere, the underlying Java SDK, database servers, etc. And some of these are pretty significant issues. So while you're not impacted by the log4j vulnerability, even in an intranet only scenario, I would be concerned long term from operating a version that far behind and out of support.

------------------------------
Steven Shull
IBM

Original Message:
Sent: 12-20-2021 17:27
From: Kevin Jo
Subject: Apache Log4j CVE-2021-44228 vulnerability Question

Hello,

I am sure you all are aware of the new Log4j vulnerability that has been found in Log4j versions 2.0 to 2.15. 

There has been many updates and articles on more recent versions of Maximo from IBM, but we are using an older version, 7.1.1.7 with WebSphere 6.1.0.43. I have looked online if actions are required for older versions of Maximo, but I could not find anything for our version. I believe our Maximo version uses Log4j version 1.x.

In addition, we have Maximo set up only for intranet usage, and it is not accessible to the public. 

Do we have to be worried about the Log4j vulnerability? 
If so, do you have any recommendations for our version?

Any info would be appreciated.

Thanks.
#Security

------------------------------
Kevin Jo
USSUPI
------------------------------

Hello Steven Shull,

I would like to know websphere application server version 8.5.5.3 is affected by this vulnerability as i see it mention For V8.5.0.0 through 8.5.5.20.


thanks

------------------------------
syed mehdi
kng
------------------------------

Original Message:
Sent: 12-20-2021 17:27
From: Kevin Jo
Subject: Apache Log4j CVE-2021-44228 vulnerability Question

Hello,

I am sure you all are aware of the new Log4j vulnerability that has been found in Log4j versions 2.0 to 2.15. 

There has been many updates and articles on more recent versions of Maximo from IBM, but we are using an older version, 7.1.1.7 with WebSphere 6.1.0.43. I have looked online if actions are required for older versions of Maximo, but I could not find anything for our version. I believe our Maximo version uses Log4j version 1.x.

In addition, we have Maximo set up only for intranet usage, and it is not accessible to the public. 

Do we have to be worried about the Log4j vulnerability? 
If so, do you have any recommendations for our version?

Any info would be appreciated.

Thanks.
#Security

------------------------------
Kevin Jo
USSUPI
------------------------------