Fix (APAR): PH42759 Status: Fix Release: 9.0.5.10,9.0.5.9,9.0.5.8,9.0.5.7,9.0.5.6,9.0.5.5,9.0.5.4,9.0.5.3 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 603810 Date: 2021-12-15 Abstract: Block class loads for vulnerable classes Description/symptom of problem: PH42759 resolves the following problem: ERROR DESCRIPTION: Allow application class loaders to block class loads of classes with security vulnerabilities LOCAL FIX: PROBLEM SUMMARY: USERS AFFECTED: All users of IBM WebSphere Application Server PROBLEM DESCRIPTION: Security-compromised classes can be loaded by the WAS application and library class loaders. RECOMMENDATION: None Applications deployed to WebSphere Application Server may run versions of Log4j2 that are affected by the Log4Shell (CVE-2021- 44228) vulnerability. This APAR updates the WebSphere Application Server application, shared library, and extension class loaders to block the loading of the org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability. IBM recommends customers analyze their applications for use of Log4j2 with urgency; in the meantime this fix may help mitigate Log4Shell and other vulnerabilities related to that class. This APAR will not protect in cases where the Log4j2 classes have been renamed (a process known as "shading") or if Log4j2 is loaded from non-WAS class loaders (e.g. Java system class loaders or user-created class loaders). This fix is provided for customers to assist in creating a holistic deep defense against Log4Shell. PROBLEM CONCLUSION: Blocking of class loads for org.apache.logging.log4j.core.lookup.JndiLookup was added to the WAS application, shared library, and extension class loaders. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.11. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: