Log4j Scanning Tool for z/OS

Hello All,

We’re sure that you have heard about the security exposure in the Log4j Java package?  It has been described as “Could be the most serious security threat ever seen”.  While the media occasionally exaggerate things, this is one that everyone should be aware of – it potentially affects everything from the biggest mainframe system, down to your little Linux server at home.

Hopefully you all run some anti-virus package on your home PCs and you have automatic software update enabled.  But what about your beloved z/OS systems?   The first thing you need to do is determine if the Log4j package is installed on your system, and if so, by which products.  If you follow IBM-MAIN, you should have seen Itschak Mugzach’s post, kindly offering a free copy of their Log4j scanning tool to anyone that requests it.  The tool is part of Ironsphere’s  Inspector, a DISA STIG assessment automation product, however you do not have to have Inspector installed in order to run the program.  The program, QIFUSS99, is a compiled Rexx program that searches all mounted file systems for copies of a Log4j jar file, or other jar files that call Log4j.  Installation is a piece of cake – you upload an XMIT-format file to your z/OS system, run a TSO RECEIVE against it, and then run the program using JCL provided by Itschak.

There is no guarantee that the scanner will find every instance of Log4j in your system.  For example, it only searches mounted file systems, so if you have file systems that are only mounted when needed, it is possible that it will miss them.  It also requires that the submitter has UID=0 authority, which can be a challenge in some sites.  However, it is still a very valuable tool.  We ran it on our little zPDT system and it found a number of instances of Log4j.  Fortunately, our system doesn’t contain anything of interest to anyone, but if I was responsible for a ‘real’ z/OS system, this is certainly something that I would want to be on top of.  You can find information about IBM’s activity to identify and address use of Log4j in IBM products on its An update on the Apache Log4j 2.x vulnerabilities web page.

If you haven’t checked your system for Log4j exposures yet, we highly recommend that you do so immediately.  Even if your system is ‘old’, and you don’t believe that anyone is using Java on it, you should still stay on the safe side and check it.

We want to thank Itschak and Ironsphere for kindly making this program available to the z/OS community.  Let us all hope that this will contribute to us not hearing about any mainframe system being hacked as a result of the Log4j exposure.

Take care and stay safe and healthy.

The Watson & Walker Team