So one place where this shows up is in the CICS filesystem. There is also a log4j.propoerties file in the same location. Would it be sufficient to place the below property in this location (or where your CICS is pointing if used)? If so, would it be used as shown, without the dash at the beginning or without the (dash)D? The other properties in this file all have the format "log4j.whatever-property"
Thanks, Rex -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of David Crayford Sent: Saturday, December 11, 2021 8:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: New Java vulnerability On 12/12/21 6:37 am, Attila Fogarasi wrote: > not so difficult on z/OS (and there is log4j usage on z/OS but unclear > that RCE can do much harm on a properly secured z/OS system -- this > will vary by what application is using the log4j library). Fingers crossed! The truth is almost no mainframe network (worth its salt) is visible to outside world. But that doesn't stop the public servers being compromised. A quick fix if you are unable to update to the patched version is to use the following Java property: ‐Dlog4j2.formatMsgNoLookups=True ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN