Fix (APAR):  PH54051

Status:  Fix

Release:  21.0.0.9

Operating System:  AIX,HP-UX,IBM i,Linux,Solaris,Windows,OS X,z/OS

Supersedes Fixes:  

CMVC Defect:  

Byte size of APAR:  1597881

Date: 20211216

Abstract:  Updates class loaders to block the org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the (CVE-2021-44228) vulnerability.

Description/symptom of problem:  

PH54051 resolves the following problem:


        Applications deployed to WebSphere Liberty may run versions of Log4j2 that are affected by the Log4Shell (CVE-2021-44228) vulnerability. This APAR updates the WebSphere Liberty application, shared library, and extension class loaders to block the loading of the org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability. IBM recommends customers analyze their applications for use of Log4j2 with urgency; in the meantime this fix may help mitigate Log4Shell and other vulnerabilities related to that class. This APAR will not protect in cases where the Log4j2 classes have been renamed (a process known as "shading") or if Log4j2 is loaded from non-WAS class loaders (e.g. Java system class loaders or user-created class loaders). This fix is provided for customers to assist in creating a holistic deep defense against Log4Shell.

        Review: https://www-01.ibm.com/support/docview.wss?uid=ibm10961580 for installing into a Docker application image based on Liberty images.





Directions to apply fix:  
        1. Open a console and direct it to the location of your iFix jar
        2. Run the command "java -jar 21009-wlp-archive-IFPH54051.jar". The following launch options
        are available for the jar:

        --installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory
        in its current location. If your WebSphere Liberty install
        location is different to "wlp" and/or is not in the same
        directory as the jar then you can use this option to change
        where the jar will patch. [LibertyRootDir] can either be
        relative to the location of the jar or an absolute file path.

        --suppressInfo hides all messages other than confirming the
        patch has completed or error messages.

        3. Stop your WebSphere Liberty server(s).
        4. When you next start your WebSphere Liberty server(s), the fix will become active in your runtime.





Directions to remove fix:  
        1. Stop your WebSphere Liberty server(s).
        2. You will need to delete the following files if they exist (file locations are
        relative to your WebSphere Liberty install root):

         - lib/com.ibm.ws.classloading_1.1.56.cl210920211215-2104.jar
         - lib/fixes/21009-wlp-archive-IFPH54051_21.0.0009.20211216_0202.xml
         - lib/fixes/21009-wlp-archive-IFPH54051_21.0.0009.20211216_0202.lpmf

        3. When you next start your WebSphere Liberty server(s), the fix will become inactive in your runtime.





Directions to re-apply fix:  
        1. Follow the instructions to apply the fix.





Additional Information: