Log4j Security Hole Found In OmniFind Text Search Server
March 14, 2022 Timothy Prickett Morgan
Who would have thought that a logging utility written in Java and available for more than two decades could cause so much trouble? But that is the nature of the Log4j security vulnerability, which has been installed in all kinds of systems software and which had a Log4Shell vulnerability that was discovered by Chinese computing giant Alibaba on November 24 last year and that was revealed to the world on December 9 as a zero-day vulnerability.
There are several areas of the IBM i software stack that use the Log4j logging utility, which is one of the many Apache open source software projects in the world. We have been monitoring in stories in The Four Hundred, as well as well as in the IBM i PTF Guide that is put together by Doug Bidwell every week. Bidwell tipped us off that there is an update to the Security Bulletin, CVE-2021-4104, which you can see here for IBM i 7.4, that explains that the OmniFind Text Search Server for the Db2 for i relational database.
The OmniFind Text Search Server first came out way back with i5/OS V6R1 back in 2008, and we first reported on it here. As the name suggests, OmniFind is a search engine that can chew through and index text data stored in just about any format and was IBM’s way of providing a search engine that could span the Internet as well as various kinds of datasets and datastores, including Db2 relational databases running on i5/OS and IBM i platforms and System z mainframes running z/OS. The OmniFind search for Db2 can scan documents stored within the relational database, and just about anything you can think of including Excel spreadsheets, XML, HTML, and PDF files and PowerPoint presentations, are all searchable as well. It is unclear how pervasive the OmniFind tool is, but presumably it is used frequently enough for IBM to put out patches to it that disable the Log4j logging function.
IBM is patching three releases of the OmniFind Text Search Server for Db2 for i, including V1R3M0, V1R4M0, and V1R5M0, which correspond to the IBM i releases 7.2, 7.3, and 7.4. The patches for each release are described in full here:
OmniFind V1R5M0:
- SI78753
- SI78754
- SI78755
OmniFind V1R4M0
- SI78756
- SI78757
- SI78758
OmniFind V1R3M0
- SI78751
- SI78759
- SI78760
- SI78761
OmniFind uses Log4j for generating logs and diagnostic traces in some of its components, and these patches address the issue by removing the Apache Log4j software entirely. It is not clear what logging function has replaced it, if any.
Just a reminder that Bidwell has created a supplemental spreadsheet as a companion to the IBM i PTF Guide that has the latest information on what you need to worry about and do about it when it comes to this vulnerability. You can download the Log4j spreadsheet at this link.
RELATED STORIES
IBM Accelerates New Nav Development Following Log4j Issue
Some Good Advice About Log4j Mitigation Gotchas
No Plan To Support New Nav on Older IBM i Releases, IBM Says
Log4j Hits Heritage Version of Navigator for i – No Patch Coming
Critical Log4j Vulnerability Hits Everything, Including the IBM i Server
