ISN 2023-10: Log4j 1.x in IBM i Access Client

First published 19 June 2023

CVSS 3.1: 8.1 (High)

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A vulnerability has been discovered in the IBM i Access Client contained in IGEL OS. This affects the following IGEL products:

• IGEL OS 11

Details

IBM i Access Client is a terminal emulator for accessing IBM I series hosts. In version 1.1.8.6 and earlier, which have been shipped with IGEL OS 11, it contains the obsolete and unmaintained branch 1.x of the Log4j logging framework. This Log4j version could allow a remote attacker to execute arbitrary code on the system, which is a vulnerability rated as high (CVE-2021-4104). However, for this the attacker needs write access to the Log4j configuration – which is usually not the case on IGEL OS.

Mitigation

Many customers will not need the IBM i Access Client, so they can remove it completely in Setup > System > Firmware Customization > Features.

Update Instructions

• OS 11: IGEL is preparing an IGEL OS version with an updated IBM i Access Client.

References

• Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x): https://www.ibm.com/support/pages/security-bulletin-ibm-i-components-are-affected-cve-2021-4104-log4j-version-1x