What I did on Windows with ISP Client 8.1.12, Webrestore installed and running:
add the last line (-Dlog4j2.formatMsgNoLookups=true) in C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so that it looks like this: --------------8<------------------------------ #Thu Oct 30 15:00:51 PDT 2014 -Dcom.ibm.jsse2.sp800-131=transition -Dlog4j2.formatMsgNoLookups=true --------------8<------------------------------ then restart "IBMWebserver" Regards, Alex Heindl Von: "Rainer Tammer" <t...@spg.schulergroup.com> An: ADSM-L@VM.MARIST.EDU Datum: 15.12.2021 08:31 Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Gesendet von: "ADSM: Dist Stor Manager" <ADSM-L@VM.MARIST.EDU> Hello, We are also waiting for the fixes. The problem is quite obvious. The risk is high, and there are currently no official fixes/mitigations. Changing Java parameters/setting environment variables for log4j >= 2.10 might be tricky. It could be hard to find all necessary places.... We will try the following fix on OC and on the client. Sample "fix" for log4j-core-2.13.3.gar included in the client: zip -q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class NOTE: The application using this library must be restarted completely after the change. NOTE: This may pose problems in a FIPS environment. NOTE: The problematic Java archive may be inside buried in a .war file, in this case the .war must be refreshed with a changed log4j-core-nnn.jar. *Anny comments?* Bye Rainer On 13.12.2021 12:25, Del Hoobler wrote: > Please watch this page: > > https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ > > IBM is actively working on a this. > > Del > > ---------------------------------------------------- > > > "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on 12/12/2021 > 01:31:46 AM: > >> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> >> To:ADSM-L@VM.MARIST.EDU >> Date: 12/12/2021 01:32 AM >> Subject: [EXTERNAL] Any impact on SP client with security >> vulnerability: CVE-2021-44228 >> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >> >> Hello All, >> >> Our security Team reported below file as vulnerability with >> reference of CVE-2021-44228 on Linux servers. >> >> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar >> >> We haven't received any information from IBM yet under a Sev1 >> ticket, But as per Support Team this recent vulnerability >> CVE-2021-44228 is still being investigated. >> >> Does any one has any idea ? remediation ? >> >> Since vulnerability CVE-2021-44228 treated as Critical, We are >> proceeding with removing file directly from all Linux servers. >> >> Best Regards, >> _____________________________________________ >> Venu Bommasani >> Storage & Data Protection >> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< mailto:venu.bommas...@capgemini.com> >> This message contains information that may be privileged or >> confidential and is the property of the Capgemini Group. It is >> intended only for the person to whom it is addressed. If you are not >> the intended recipient, you are not authorized to read, print, >> retain, copy, disseminate, distribute, or use this message or any >> part thereof. If you receive this message in error, please notify >> the sender immediately and delete all copies of this message.