thebeardedgeek · April 14, 2022 07:06
diff --git a/Log4j_Information_and_Utilities b/Log4j_Information_and_Utilities
 NOTE: I am reading and trying to offer information from what I have seen so far. Everyone will have to conduct their own research and make assessments based on findings.

 A way to scan the IFS on an IBM i from QSH

 This executes a find utility in QSH 
 NOTE: this should be on many if not all systems – so far I have tested OS 7.1-7.4 with success *UPDATE I tested this with v5r4 and it worked as well
 •	SBMJOB = Submits the job, JOB(LOG4JSCAN) names the job, and JOBQ(QCTL) submits it to the controlling subsystem (I have been submitting it here to make sure nothing ends it but you could submit it to another JOBQ)
 •	Find / = we are searching the root path with find
 •	-path /QSYS.LIB -prune -o = I am excluding /QSYS.LIB (since it cannot contain .jar files) 
 •	-type f = looking for items of the type files
 •	-name "*[lL][oO][gG]4[jJ]*" = The name of the file and making sure it’s case insensitive 
 •	> /log4j_results.txt = And we are piping the results of the find command to
 •	-o = means or

 NOTE: RUN THIS AS A USER WITH *ALLOBJ AUTHORITY

 ********************
 MAIN COMMAND TO RUN
 ********************
 Omit just QSYS.LIB
 SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -type f -name "*[lL][oO][gG]4[jJ]*" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)

 or Omit QSYS.LIB and QNTC
 SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o  -path /QNTC -prune -o -type f -name "*[lL][oO][gG]4[jJ]*" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)

 **********************
 VARIATIONS TO COMMAND
 **********************
 Variations of the Find command excluding multiple directories
 find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*[lL][oO][gG]4[jJ]*.jar" > /log4j_results.txt

 find / -type d \( -name /QSYS.LIB -o -name /QNTC \) -prune -o -type f -name "*[lL][oO][gG]4[jJ]*.jar" > /log4j_results.txt

 Variations of case insensitive file name
 •	without the 4 
 -type f -name "*[lL][oO][gG]*[jJ]*"

 •	without the 4 and with the .jar extension
 -type f -name "*[lL][oO][gG]*[jJ]*.jar"

 •	with the 4 and the .jar extension
 -type f -name "*[lL][oO][gG]4[jJ]*.jar"

 **************
 WATCH THE JOB
 **************
 WRKACTJOB SBS(QCTL) INTERVAL(5)
 F19 to auto refresh

 ********
 RESULTS
 ********
 Reading the results file after the scan it would look something like this: 
 Run: WRKLNK '/log*' and select option 5 to view

 NOTE: IF THE RESULTS DON'T SHOW /log4j_results.txt THEN CHECK THAT THE COMMAND WAS SUBMITTED WITHOUT ALTERING THE STRING!!

 If you copy and paste make sure it doesn't insert special characters (see below)
 QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "*YlL?YoO?YgG?4YjJ?*" > /log4j_results.txt')
 This is not going to return the results you want...

 ************Beginning of data**************                                                                                        
 /QSYS.LIB                                                                                                                                            
 /QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.ant_1.6.5/lib/ant-apache-log4j.jar                           
 /QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.jakarta_log4j_1.2.8.v200607172048/lib/log4j-1.2.8.jar        
 /QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/classes/log4j.properties                                 
 /QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/lib/log4j-1.2.14.jar                                     
 /QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/classes/log4j.properties                                 
 /QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-1.2.15.jar                                     
 /QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-LICENSE.txt                                    
 /QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/log4j-1.2.14.jar          
 /QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/slf4j-log4j12-1.5.11.jar  
 /QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/log4j-1.2.14.jar     
 /QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
 /QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar                                                       
 /QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar:Zone.Identifier:$DATA                                 
 /log4j_results.txt     <--- You should see this in the results or it didn't run correctly
 ************End of Data********************  

 ****************************************************
 12/24/21 -- Nested .jar Searcher by Jesse Gorzinski
 ****************************************************
 https://github.com/ThePrez/NestedJarSearcher/releases/tag/v0.1.0

 **Example** (replace /home/myapp with the directory of interest)
 cd /home/myapp

 find . -name \*.war -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
 find . -name \*.ear -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
 find . -name \*.jar -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt
 find . -name \*.zip -print -exec $HOME/jarsearch {} JndiLookup.class \; | grep '\*\*\*' >> $HOME/scanresults.txt

 ***********************
 Helpful Links and Info
 ***********************
 General Information
 https://github.com/snyk-labs/awesome-log4shell?cta=html-button-click&loc=page-body&page=log4j-vulnerability-resources

 Apache Log4j Security Vulnerabilities
 https://logging.apache.org/log4j/2.x/security.html

 Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0
 https://stackoverflow.com/questions/70332054/log4j-1-how-to-mitigate-the-vulnerability-in-log4j-without-updating-version-to

 These are the possible mitigations for this flaw for releases version 1.x:
 •	Comment out or remove JMSAppender in the Log4j configuration if it is used
 •	Remove the JMSAppender class from the classpath. For example: zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
 •	Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.

 https://www.itjungle.com/2021/12/15/critical-log4j-vulnerability-hits-everything-including-the-ibm-i-server/
 Jesse Gorzinski, IBM’s business architect for open source for IBM i and its point man for Java, told IBM i shops to focus on their own Java-based applications and their dependencies– “especially anything that external entities can feed data to.”
 IBM is a big Java shop, and uses the programming language throughout its products. IBM WebSphere and the Tomcat Web server are both Java-based, and are vulnerable to LogJam attacks.
 
 Log4Shell Part 1: Answering FAQs on the Log4Shell Security Vulnerability
 https://techchannel.com/Trends/12/2021/log4shell-part-1
 
 Scott Forstie’s SQL Query to find Log4j instances in IFS
 https://gist.github.com/forstie/9662d4c302f5224c66b7a4c409141a2c
 
 IBM put out this article to help remediate things and they provide a list of applications not impacted.
 https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products
 
 Vulnerability in Apache Log4j affects WebSphere Application Server
 https://www.ibm.com/support/pages/node/6525706
 
 Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
 https://www.ibm.com/support/pages/node/6526172

 As Apache releases new patch, researchers discover new Log4j attack vector
 https://siliconangle.com/2021/12/19/apache-releases-new-patch-researchers-discover-new-log4j-attack-vector/                                               

 12/21/21 -- Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for i 
 https://www.ibm.com/support/pages/node/6529238

 12/24/21
 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
 https://www.opencve.io/cve/CVE-2021-4104

 **Example of how to search for jms in log4j results (replace /QOpenSys/opt with the directory of interest)
 find /QOpenSys/opt -type f -name "*[lL][oO][gG]4[jJ]*" |xargs grep -i  "[jJ][mM][sS]"

 JMS.Appender Example: 
 https://stackoverflow.com/questions/11828232/log4j-jms-appender-example

 12/27/21 -- Security Bulletin: BIND for IBM i is affected by CVE-2021-25219
 https://www.ibm.com/support/pages/node/6536716?myns=ibmi&mynp=OCSWG60&mync=R&cm_sp=ibmi-_-OCSWG60-_-R

 12/30/31
 Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876)
 https://www.ibm.com/support/pages/security-bulletin-ibm-navigator-i-affected-security-vulnerability-cve-2021-38876

 CISA released a log4j scanner
 https://github.com/cisagov/log4j-scanner

 ************************************************************************
 1/3/22 -- A compiled list of the vulnerabilities I could find for IBM i
 ************************************************************************
 IBM HTTP Server (powered by Apache) for I
 Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i
 https://www.ibm.com/support/pages/node/6520016?myns=ibmi&mynp=OCSWG60&mync=F&cm_sp=ibmi-_-OCSWG60-_-F

 IBM Navigator for i (Heritage version)
 Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876)
 https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-affected-by-security-vulnerability-cve-2021-38876/
 Fix: https://www.ibm.com/support/pages/node/6537250

 IBM i DNS Server implementation uses ISC BIND
 Security Bulletin: BIND for IBM i is affected by CVE-2021-25219
 https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2021-25219/
 Fix: https://www.ibm.com/support/pages/node/6536716

 IBM DB2 Web Query
 Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105)
 https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-ibm-db2-web-query-for-i-cve-2021-45105/
 Fix: https://www.ibm.com/support/pages/node/6537454

 -- Original Bulletin:
 Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for I
 https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-ibm-db2-web-query-for-i/

 IBM WebSphere
 Security Bulletin: IBM WebSphere Service Registry and Repository is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)
 https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-service-registry-and-repository-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
 Fix: https://www.ibm.com/support/pages/node/6525706

 Power HMC
 Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
 https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-44228-affects-power-hmc-2/
 Fix: https://www.ibm.com/support/pages/node/6526172

 Rational Developer (RDi)
 Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for I
 https://www.ibm.com/support/pages/node/6525674
 Fix: https://www.ibm.com/support/pages/node/6512830

 1/3/22
 Take the results from the QSH Log4j scan text file and scan for JMS (run from QSH)

 xargs grep -i "[jJ][mM][sS]" < /log4j_results.txt > /log4j_jms_results.txt

 ***Explanation of above command
 xargs = utility will execute a specified command (utility) with parameters from stdin
 grep -i = print lines matching a pattern. Ignore case distinctions in both the PATTERN and the input files
 "[jJ][mM][sS]" = the string to scan for
 < /log4j_results.txt = the file and location of where to read from. This reads the .txt in the root directory
 > /log4j_jms_results.txt = outputs the results to a different .txt file

 1/10/22
 Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) 
 https://www.ibm.com/support/pages/node/6539162
 Affected Products:
 IBM Navigator for i (heritage version only)
 Integrated Web Server (IWS) 	
 Integrated Application Server (IAS)
 IBM i Access Client Solutions

 1/13/22
 IBM i Extended Dynamic Remote SQL server (EDRSQL)
 Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056
 Fix: https://www.ibm.com/support/pages/node/6540294

 1/22/22
 IBM Db2 Web Query for i update
 Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)
 https://www.ibm.com/support/pages/node/6550822?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E

 3/9/22
 OmniFind Text Search Server for DB2 for i
 Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104)
 https://www.ibm.com/support/pages/node/6562237?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
 Fix: Apply PTFs

 3/30/22
 IBM Db2 Web Query for i - new vulnerability
 Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493) 
 https://www.ibm.com/support/pages/node/6567195?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
 Fix: Update IBM Db2 Web Query for i
	NOTE: I am reading and trying to offer information from what I have seen so far. Everyone will have to conduct their own research and make assessments based on findings.

	A way to scan the IFS on an IBM i from QSH

	This executes a find utility in QSH
	NOTE: this should be on many if not all systems – so far I have tested OS 7.1-7.4 with success *UPDATE I tested this with v5r4 and it worked as well
	• SBMJOB = Submits the job, JOB(LOG4JSCAN) names the job, and JOBQ(QCTL) submits it to the controlling subsystem (I have been submitting it here to make sure nothing ends it but you could submit it to another JOBQ)
	• Find / = we are searching the root path with find
	• -path /QSYS.LIB -prune -o = I am excluding /QSYS.LIB (since it cannot contain .jar files)
	• -type f = looking for items of the type files
	• -name "[lL][oO][gG]4[jJ]" = The name of the file and making sure it’s case insensitive
	• > /log4j_results.txt = And we are piping the results of the find command to
	• -o = means or

	NOTE: RUN THIS AS A USER WITH *ALLOBJ AUTHORITY

	********************
	MAIN COMMAND TO RUN
	********************
	Omit just QSYS.LIB
	SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -type f -name "[lL][oO][gG]4[jJ]" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)

	or Omit QSYS.LIB and QNTC
	SBMJOB CMD(QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "[lL][oO][gG]4[jJ]" > /log4j_results.txt')) JOB(LOG4JSCAN) JOBQ(QCTL)

	**********************
	VARIATIONS TO COMMAND
	**********************
	Variations of the Find command excluding multiple directories
	find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "[lL][oO][gG]4[jJ].jar" > /log4j_results.txt

	find / -type d \( -name /QSYS.LIB -o -name /QNTC \) -prune -o -type f -name "[lL][oO][gG]4[jJ].jar" > /log4j_results.txt

	Variations of case insensitive file name
	• without the 4
	-type f -name "[lL][oO][gG][jJ]*"

	• without the 4 and with the .jar extension
	-type f -name "[lL][oO][gG][jJ]*.jar"

	• with the 4 and the .jar extension
	-type f -name "[lL][oO][gG]4[jJ].jar"

	**************
	WATCH THE JOB
	**************
	WRKACTJOB SBS(QCTL) INTERVAL(5)
	F19 to auto refresh

	********
	RESULTS
	********
	Reading the results file after the scan it would look something like this:
	Run: WRKLNK '/log*' and select option 5 to view

	NOTE: IF THE RESULTS DON'T SHOW /log4j_results.txt THEN CHECK THAT THE COMMAND WAS SUBMITTED WITHOUT ALTERING THE STRING!!

	If you copy and paste make sure it doesn't insert special characters (see below)
	QSH CMD('find / -path /QSYS.LIB -prune -o -path /QNTC -prune -o -type f -name "YlL?YoO?YgG?4YjJ?" > /log4j_results.txt')
	This is not going to return the results you want...

	**********Beginning of data************
	/QSYS.LIB
	/QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.ant_1.6.5/lib/ant-apache-log4j.jar
	/QIBM/ProdData/OS/WebServices/V1/server/internal/wsexplorer/org.apache.jakarta_log4j_1.2.8.v200607172048/lib/log4j-1.2.8.jar
	/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/classes/log4j.properties
	/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-13/WEB-INF/lib/log4j-1.2.14.jar
	/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/classes/log4j.properties
	/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-1.2.15.jar
	/QIBM/ProdData/OS/WebServices/internal/engines/org.apache.axis2-15/WEB-INF/lib/log4j-LICENSE.txt
	/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/log4j-1.2.14.jar
	/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/0/.cp/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
	/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/log4j-1.2.14.jar
	/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea/org.eclipse.osgi/219/data/cache/WEB-INF/lib/slf4j-log4j12-1.5.11.jar
	/QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar
	/QIBM/UserData/OS/OSGi/LWISysInst/admin2/lwi/bin/ant/lib/ant-apache-log4j.jar:Zone.Identifier:$DATA
	/log4j_results.txt <--- You should see this in the results or it didn't run correctly
	**********End of Data******************

	****************************************************
	12/24/21 -- Nested .jar Searcher by Jesse Gorzinski
	****************************************************
	https://github.com/ThePrez/NestedJarSearcher/releases/tag/v0.1.0

	Example (replace /home/myapp with the directory of interest)
	cd /home/myapp

	find . -name \.war -print -exec $HOME/jarsearch {} JndiLookup.class \; \| grep '\\\' >> $HOME/scanresults.txt
	find . -name \.ear -print -exec $HOME/jarsearch {} JndiLookup.class \; \| grep '\\\' >> $HOME/scanresults.txt
	find . -name \.jar -print -exec $HOME/jarsearch {} JndiLookup.class \; \| grep '\\\' >> $HOME/scanresults.txt
	find . -name \.zip -print -exec $HOME/jarsearch {} JndiLookup.class \; \| grep '\\\' >> $HOME/scanresults.txt

	***********************
	Helpful Links and Info
	***********************
	General Information
	https://github.com/snyk-labs/awesome-log4shell?cta=html-button-click&loc=page-body&page=log4j-vulnerability-resources

	Apache Log4j Security Vulnerabilities
	https://logging.apache.org/log4j/2.x/security.html

	Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0
	https://stackoverflow.com/questions/70332054/log4j-1-how-to-mitigate-the-vulnerability-in-log4j-without-updating-version-to

	These are the possible mitigations for this flaw for releases version 1.x:
	• Comment out or remove JMSAppender in the Log4j configuration if it is used
	• Remove the JMSAppender class from the classpath. For example: zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
	• Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.

	https://www.itjungle.com/2021/12/15/critical-log4j-vulnerability-hits-everything-including-the-ibm-i-server/
	Jesse Gorzinski, IBM’s business architect for open source for IBM i and its point man for Java, told IBM i shops to focus on their own Java-based applications and their dependencies– “especially anything that external entities can feed data to.”
	IBM is a big Java shop, and uses the programming language throughout its products. IBM WebSphere and the Tomcat Web server are both Java-based, and are vulnerable to LogJam attacks.

	Log4Shell Part 1: Answering FAQs on the Log4Shell Security Vulnerability
	https://techchannel.com/Trends/12/2021/log4shell-part-1

	Scott Forstie’s SQL Query to find Log4j instances in IFS
	https://gist.github.com/forstie/9662d4c302f5224c66b7a4c409141a2c

	IBM put out this article to help remediate things and they provide a list of applications not impacted.
	https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

	Vulnerability in Apache Log4j affects WebSphere Application Server
	https://www.ibm.com/support/pages/node/6525706

	Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
	https://www.ibm.com/support/pages/node/6526172

	As Apache releases new patch, researchers discover new Log4j attack vector
	https://siliconangle.com/2021/12/19/apache-releases-new-patch-researchers-discover-new-log4j-attack-vector/

	12/21/21 -- Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for i
	https://www.ibm.com/support/pages/node/6529238

	12/24/21
	JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
	https://www.opencve.io/cve/CVE-2021-4104

	**Example of how to search for jms in log4j results (replace /QOpenSys/opt with the directory of interest)
	find /QOpenSys/opt -type f -name "[lL][oO][gG]4[jJ]" \|xargs grep -i "[jJ][mM][sS]"

	JMS.Appender Example:
	https://stackoverflow.com/questions/11828232/log4j-jms-appender-example

	12/27/21 -- Security Bulletin: BIND for IBM i is affected by CVE-2021-25219
	https://www.ibm.com/support/pages/node/6536716?myns=ibmi&mynp=OCSWG60&mync=R&cm_sp=ibmi-_-OCSWG60-_-R

	12/30/31
	Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876)
	https://www.ibm.com/support/pages/security-bulletin-ibm-navigator-i-affected-security-vulnerability-cve-2021-38876

	CISA released a log4j scanner
	https://github.com/cisagov/log4j-scanner

	************************************************************************
	1/3/22 -- A compiled list of the vulnerabilities I could find for IBM i
	************************************************************************
	IBM HTTP Server (powered by Apache) for I
	Security Bulletin: Multiple vulnerabilities affect IBM HTTP Server (powered by Apache) for i
	https://www.ibm.com/support/pages/node/6520016?myns=ibmi&mynp=OCSWG60&mync=F&cm_sp=ibmi-_-OCSWG60-_-F

	IBM Navigator for i (Heritage version)
	Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876)
	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-affected-by-security-vulnerability-cve-2021-38876/
	Fix: https://www.ibm.com/support/pages/node/6537250

	IBM i DNS Server implementation uses ISC BIND
	Security Bulletin: BIND for IBM i is affected by CVE-2021-25219
	https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affected-by-cve-2021-25219/
	Fix: https://www.ibm.com/support/pages/node/6536716

	IBM DB2 Web Query
	Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105)
	https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-ibm-db2-web-query-for-i-cve-2021-45105/
	Fix: https://www.ibm.com/support/pages/node/6537454

	-- Original Bulletin:
	Security Bulletin: Multiple Vulnerabilities in Apache Log4j affect IBM Db2 Web Query for I
	https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-ibm-db2-web-query-for-i/

	IBM WebSphere
	Security Bulletin: IBM WebSphere Service Registry and Repository is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)
	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-service-registry-and-repository-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
	Fix: https://www.ibm.com/support/pages/node/6525706

	Power HMC
	Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC
	https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-44228-affects-power-hmc-2/
	Fix: https://www.ibm.com/support/pages/node/6526172

	Rational Developer (RDi)
	Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for I
	https://www.ibm.com/support/pages/node/6525674
	Fix: https://www.ibm.com/support/pages/node/6512830

	1/3/22
	Take the results from the QSH Log4j scan text file and scan for JMS (run from QSH)

	xargs grep -i "[jJ][mM][sS]" < /log4j_results.txt > /log4j_jms_results.txt

	***Explanation of above command
	xargs = utility will execute a specified command (utility) with parameters from stdin
	grep -i = print lines matching a pattern. Ignore case distinctions in both the PATTERN and the input files
	"[jJ][mM][sS]" = the string to scan for
	< /log4j_results.txt = the file and location of where to read from. This reads the .txt in the root directory
	> /log4j_jms_results.txt = outputs the results to a different .txt file

	1/10/22
	Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x)
	https://www.ibm.com/support/pages/node/6539162
	Affected Products:
	IBM Navigator for i (heritage version only)
	Integrated Web Server (IWS)
	Integrated Application Server (IAS)
	IBM i Access Client Solutions

	1/13/22
	IBM i Extended Dynamic Remote SQL server (EDRSQL)
	Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056
	Fix: https://www.ibm.com/support/pages/node/6540294

	1/22/22
	IBM Db2 Web Query for i update
	Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)
	https://www.ibm.com/support/pages/node/6550822?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E

	3/9/22
	OmniFind Text Search Server for DB2 for i
	Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104)
	https://www.ibm.com/support/pages/node/6562237?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
	Fix: Apply PTFs

	3/30/22
	IBM Db2 Web Query for i - new vulnerability
	Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493)
	https://www.ibm.com/support/pages/node/6567195?myns=ibmi&mynp=OCSWG60&mync=E&cm_sp=ibmi-_-OCSWG60-_-E
	Fix: Update IBM Db2 Web Query for i