PH42899: Block classes with known vulnerabilities from being loaded by the application and library class loaders.

PH42899:block loads of vulnerable classes in websphere class loaders

APAR status

• Closed as new function.

Error description

• Block classes with known vulnerabilities from being loaded by
  the application and library class loaders.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:  All users of IBM WebSphere Application      *
  *                  Server                                      *
  ****************************************************************
  * PROBLEM DESCRIPTION: Add support to WebSphere to block       *
  *                      classes with                            *
  *                      known vulnerabilities from being loaded *
  *                      by the                                  *
  *                      WebSphere application and library class *
  *                      loaders.                                *
  *                      This APAR supersedes APAR PH42759.      *
  *                      Note: WebSphere Application Servers own *
  *                      usage of log4j is removed by            *
  *                      the fixes associated with the following *
  *                      security bulletin, without any          *
  *                      need for PH42899 (this APAR).           *
  *                      https://www.ibm.com/support/pages/node/ *
  *                      6526750                                 *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Applications deployed to WebSphere Application Server may run
  versions of Log4j2 that are affected by the Log4Shell (CVE-2021-
  44228) and related vulnerabilities.
  This APAR updates the WebSphere
  Application Server application, shared library, and extension
  class loaders to block the loading of the
  org.apache.logging.log4j.core.lookup.JndiLookup class, which is
  the cause of the vulnerability.
  IBM recommends customers
  analyze their applications for use of Log4j2 with urgency; in
  the meantime this fix may help mitigate Log4Shell and other
  vulnerabilities related to that class.
  This APAR will not protect in cases where the Log4j2 classes
  have been renamed (a process known as "shading") or if Log4j2
  is
  loaded from non-WAS class loaders (e.g. Java system class
  loaders or user-created class loaders). This fix is provided
  for
  customers to assist in creating a holistic deep defense against
  Log4Shell.
  Note: WebSphere Application Servers own usage of log4j is
  removed by
  the fixes associated with the following security bulletin,
  without any
  needfor PH42899 (this APAR).
  https://www.ibm.com/support/pages/node/6526750
  

Problem conclusion

• This APAR supersedes APAR PH42759.
  
  Blocking of class loads for
  org.apache.logging.log4j.core.lookup.JndiLookup was added to the
  WAS application, shared library, and extension class loaders.
  
  NOTE: For applications utilizing the Log4j 2.0 Beta 9 release,
  preventing the load of this class will cause an uncaught
  NoClassDefFoundError. Users whose applications include this
  library are advised to update their Log4j immediately and avoid
  applying this APAR until after that update is applied.
  
  The fix for this APAR is targeted for inclusion in fix packs
  8.5.5.21 and 9.0.5.11. For more information, see 'Recommended
  Updates for WebSphere Application Server':
  https://www.ibm.com/support/pages/node/715553
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBSPHERE APP S

• Fixed component ID

  5724J0800

Applicable component levels

• R850 PSY

     UP

• R900 PSY

     UP