Fix (APAR): PH42899 Status: Fix Release: 9.0.5.10,9.0.5.9,9.0.5.8,9.0.5.7,9.0.5.6,9.0.5.5,9.0.5.4,9.0.5.3 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PH42759 CMVC Defect: xxxxxx Byte size of APAR: 603564 Date: 2021-12-18 Abstract: block loads of vulnerable classes in websphere class loaders Description/symptom of problem: PH42899 resolves the following problem: ERROR DESCRIPTION: Security-compromised classes can be loaded by the WAS application and library class loaders. LOCAL FIX: PROBLEM SUMMARY: USERS AFFECTED: All users of IBM WebSphere Application Server PROBLEM DESCRIPTION: Security-compromised classes can be loaded by the WAS application and library class loaders. This APAR supersedes APAR PH42759. RECOMMENDATION: None Applications deployed to WebSphere Application Server may run versions of Log4j2 that are affected by the Log4Shell (CVE-2021- 44228) vulnerability. This APAR updates the WebSphere Application Server application, shared library, and extension class loaders to block the loading of the org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability. IBM recommends customers analyze their applications for use of Log4j2 with urgency; in the meantime this fix may help mitigate Log4Shell and other vulnerabilities related to that class. This APAR will not protect in cases where the Log4j2 classes have been renamed (a process known as "shading") or if Log4j2 is loaded from non-WAS class loaders (e.g. Java system class loaders or user-created class loaders). This fix is provided for customers to assist in creating a holistic deep defense against Log4Shell. PROBLEM CONCLUSION: This APAR supersedes APAR PH42759. Blocking of class loads for org.apache.logging.log4j.core.lookup.JndiLookup was added to the WAS application, shared library, and extension class loaders. NOTE: For applications utilizing the Log4j 2.0 Beta 9 release, preventing the load of this class will cause an uncaught NoClassDefFoundError. Users whose applications include this library are advised to update their Log4j immediately and avoid applying this APAR until after that update is applied. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.11. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: