IBM Support

PH61335: can't opt out of "forbidden classes" such as log4j

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • [5/8/24 11:10:36:301 CDT] 00000079 CompoundClass >  loadClass
org.apache.logging.log4j.core.lookup.JndiLookup this=com.ibm.ws
.classloader.CompoundClassLoader@5b025a23[PL][library:Iso_Lib]En

[5/8/24 11:10:36:301 CDT] 00000079 CompoundClass <  loadClass
org.apache.logging.log4j.core.lookup.JndiLookup forbidden Exit

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: Users who want to use the Log4j JNDI    *
*                      Lookup function are unable to do so     *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
As part of WAS' proactive response to the Log4Shell
vulnerability,
filtering was put in place to actively block the load of the
Log4j
JndiLookup class, which was the cause of that vulnerability. The
new "forbidden classes" mechanism was, by design, not
configurable.
Since that time, the vulnerability in that class has been
addressed, but applications are still prevented from using it.

    



Problem conclusion


    

  • The forbidden classes mechanism is now configurable. To allow
previously-forbidden classes to be loaded, add the custom
property "com.ibm.ws.classloader.nothing.forbidden" with value
"true" to the server JVM configuration, or add "-
Dcom.ibm.ws.classloader.nothing.forbidden=true" as a generic JVM
argument on the application server process.

The fix for this APAR is targeted for inclusion in fix packs
8.5.5.27 and 9.0.5.21. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH61335
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-05-13
    • 

  • Closed date
    2024-06-10
    • 

  • Last modified date
    2024-06-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 June 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback