• Home
  • Publications
    • Cheryl Watson’s Tuning Letter
    • Current Subscribers
    • Cheryl Watson’s CPU Chart
    • Articles
    • SMF Reference Summary
    • Free Presentations
    • Our Favorite Links
    • IBM Systems Center Books
  • News
  • Software
    • Application Profiler for Z
    • Free Tools
  • Blog / Media
  • About

Log4j Scanning Tool for z/OS

January 19, 2022Cheryl's Listfrank

Hello All,

We’re sure that you have heard about the security exposure in the Log4j Java package?  It has been described as “Could be the most serious security threat ever seen”.  While the media occasionally exaggerate things, this is one that everyone should be aware of – it potentially affects everything from the biggest mainframe system, down to your little Linux server at home.

Hopefully you all run some anti-virus package on your home PCs and you have automatic software update enabled.  But what about your beloved z/OS systems?   The first thing you need to do is determine if the Log4j package is installed on your system, and if so, by which products.  If you follow IBM-MAIN, you should have seen Itschak Mugzach’s post, kindly offering a free copy of their Log4j scanning tool to anyone that requests it.  The tool is part of Ironsphere’s  Inspector, a DISA STIG assessment automation product, however you do not have to have Inspector installed in order to run the program.  The program, QIFUSS99, is a compiled Rexx program that searches all mounted file systems for copies of a Log4j jar file, or other jar files that call Log4j.  Installation is a piece of cake – you upload an XMIT-format file to your z/OS system, run a TSO RECEIVE against it, and then run the program using JCL provided by Itschak.

There is no guarantee that the scanner will find every instance of Log4j in your system.  For example, it only searches mounted file systems, so if you have file systems that are only mounted when needed, it is possible that it will miss them.  It also requires that the submitter has UID=0 authority, which can be a challenge in some sites.  However, it is still a very valuable tool.  We ran it on our little zPDT system and it found a number of instances of Log4j.  Fortunately, our system doesn’t contain anything of interest to anyone, but if I was responsible for a ‘real’ z/OS system, this is certainly something that I would want to be on top of.  You can find information about IBM’s activity to identify and address use of Log4j in IBM products on its An update on the Apache Log4j 2.x vulnerabilities web page.

If you haven’t checked your system for Log4j exposures yet, we highly recommend that you do so immediately.  Even if your system is ‘old’, and you don’t believe that anyone is using Java on it, you should still stay on the safe side and check it.

We want to thank Itschak and Ironsphere for kindly making this program available to the z/OS community.  Let us all hope that this will contribute to us not hearing about any mainframe system being hacked as a result of the Log4j exposure.

Take care and stay safe and healthy.

The Watson & Walker Team

Search this site

Subscribe to our Cheryl’s List blog

listSign up for Cheryl's List

Latest Posts

  • Winter 2023 SHARE Conference Is on Next Week
  • Cheryl Watson’s Tuning Letter 2022 No. 4 Available Now
  • Cheryl Watson’s Tuning Letter 2022 No. 3 Now Available
  • Watson & Walker SHARE Presentations
  • Cheryl Watson’s Tuning Letter 2022 No. 2 Now Available
  • Cheryl Watson’s May 2022 CPU Chart Now Available
  • Cheryl Watson’s Tuning Letter 2022 No. 1 Now Available
  • Winter 2022 SHARE Conference
  • Cheryl Watson’s Tuning Letter 2021 No. 4 Now Available
  • Log4j Scanning Tool for z/OS

1661 Ringling Blvd, PMB 49886
Sarasota, FL 34230
Phone: 941-924-6565
Customer Service: admin@watsonwalker.com
Technical support: technical@watsonwalker.com
listContact Us

Subscribe to our Cheryl’s List blog

Sign up for Cheryl's List

Follow Cheryl Watson

LinkedIn

Copyright 2022 © Watson & Walker, Inc.