Hi Zoltan, B/A Client Version 8.1.13.2 is available, which includes Log4j 2.17.0
https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-virtual-environments-cve-2021-45105-cve-2021-45046 Regards, Uwe > Am 17.12.2021 um 17:54 schrieb Zoltan Forray <zfor...@vcu.edu>: > > Unfortunately, the 8.1.13.1 update of the Backup-Archive client only > addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080) > and not CVE-2021-45046. So I guess there is an 8.1.13.2 on the horizon? > >> On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber <uwe.h.schrei...@t-online.de> >> wrote: >> >> Hello, >> >> IBM release Workarounds for several ISP components >> >> IBM Spectrum Protect Client web user interface >> Affected versions: >> 8.1.7.0-8.1.13.0 (Linux and Windows) >> 8.1.9.0-8.1.13.0 (AIX) >> >> >> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E >> >> ------------------- >> >> IBM Spectrum Protetct for Virtual Environments: DP for VMware >> Affected versions: >> 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) >> 7.1.0.0-7.1.8.12 >> >> >> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E >> >> ------------------- >> >> IBM Spectrum Protetct for Virtual Environments: DP for HyperV >> Affected versions: >> 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) >> >> >> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E >> >> ------------------- >> >> IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes >> IBM Spectrum Protect Plus Container Backup and Restore for OpenShift >> Affected versions: >> 10.1.9 >> >> >> https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E >> >> ------------------- >> >> IBM Spectrum Protect Operations Center >> Affected versions: >> 8.1.0.000-8.1.13.000 >> 7.1.0.000-7.1.14.000 >> >> >> https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E >> >> >> Regards, Uwe >> >> -----Original Message----- >> From: ADSM: Dist Stor Manager <ADSM-L@VM.MARIST.EDU> On Behalf Of Rainer >> Tammer >> Sent: Donnerstag, 16. Dezember 2021 08:22 >> To: ADSM-L@VM.MARIST.EDU >> Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any >> impact on SP client with security vulnerability: CVE-2021-44228 >> >> Hello, >> Currently this is the safest way to fix that problem (in my opinion): >> >> zip -q -d log4j-core-2.nn.n.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> >> The Log4J v1.x does also have a problem: >> >> CVE-2019-17571 and CVE-2017-5645 >> The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. >> >> RHEL/CentOS has a fixed 1.2.17: >> >> log4j-1.2.17-16.el7_4.src.rpm >> log4j-1.2.17-16.el7_4.noarch.rpm >> >> >> Bye >> Rainer >> >>> On 15.12.2021 15:01, Zoltan Forray wrote: >>> It's a moving target. They just announced a second vulnerability and >>> have released 2.16. I would not be surprised they find more! >>> >>> https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- >>> log4j-2-16-0-released/ >>> >>> On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < >>> alexander.hei...@generali.com> wrote: >>> >>>> that's correct. >>>> >>>> for me it's just a workaround until IBM provides a fix for it. >>>> >>>> 8.1.12 and 8.1.13: both use 2.13.3. >>>> >>>> Regards, >>>> Alex Heindl >>>> >>>> >>>> >>>> >>>> Von: "Rainer Tammer"<t...@spg.schulergroup.com> >>>> An:ADSM-L@VM.MARIST.EDU >>>> Datum: 15.12.2021 11:20 >>>> Betreff: [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact >>>> on SP client with security vulnerability: CVE-2021-44228 >>>> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Hello, >>>> You have to be careful with that. The switch does only work if Log4J >>>> is >>>> 2.10 or higher. >>>> >>>> Bye >>>> Rainer >>>> >>>> On 15.12.2021 10:29, Alexander Heindl wrote: >>>>> What I did on Windows with ISP Client 8.1.12, Webrestore installed >>>>> and >>>>> running: >>>>> >>>>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in >>>>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, >>>>> so that it looks like this: >>>>> --------------8<------------------------------ >>>>> #Thu Oct 30 15:00:51 PDT 2014 >>>>> -Dcom.ibm.jsse2.sp800-131=transition >>>>> -Dlog4j2.formatMsgNoLookups=true >>>>> --------------8<------------------------------ >>>>> >>>>> then restart "IBMWebserver" >>>>> >>>>> Regards, >>>>> Alex Heindl >>>>> >>>>> >>>>> >>>>> >>>>> Von: "Rainer Tammer"<t...@spg.schulergroup.com> >>>>> An:ADSM-L@VM.MARIST.EDU >>>>> Datum: 15.12.2021 08:31 >>>>> Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with >>>>> security vulnerability: CVE-2021-44228 >>>>> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Hello, >>>>> We are also waiting for the fixes. The problem is quite obvious. >>>>> The risk is high, and there are currently no official >> fixes/mitigations. >>>>> >>>>> Changing Java parameters/setting environment variables for log4j >= >>>>> 2.10 might be tricky. >>>>> It could be hard to find all necessary places.... >>>>> >>>>> We will try the following fix on OC and on the client. >>>>> >>>>> Sample "fix" for log4j-core-2.13.3.gar included in the client: >>>>> >>>>> zip -q -d log4j-core-2.13.3.jar >>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>>>> >>>>> NOTE: The application using this library must be restarted >>>>> completely after the change. >>>>> NOTE: This may pose problems in a FIPS environment. >>>>> NOTE: The problematic Java archive may be inside buried in a .war >>>>> file, in this case the .war must be refreshed with a changed >>>> log4j-core-nnn.jar. >>>>> *Anny comments?* >>>>> >>>>> Bye >>>>> Rainer >>>>> >>>>> On 13.12.2021 12:25, Del Hoobler wrote: >>>>>> Please watch this page: >>>>>> >>>>>> >>>> https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-202 >>>> 1-44228-vulnerability/ >>>> >>>>>> IBM is actively working on a this. >>>>>> >>>>>> Del >>>>>> >>>>>> ---------------------------------------------------- >>>>>> >>>>>> >>>>>> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on >> 12/12/2021 >>>>>> 01:31:46 AM: >>>>>> >>>>>>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> >>>>>>> To:ADSM-L@VM.MARIST.EDU >>>>>>> Date: 12/12/2021 01:32 AM >>>>>>> Subject: [EXTERNAL] Any impact on SP client with security >>>>>>> vulnerability: CVE-2021-44228 >>>>>>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >>>>>>> >>>>>>> Hello All, >>>>>>> >>>>>>> Our security Team reported below file as vulnerability with >>>>>>> reference of CVE-2021-44228 on Linux servers. >>>>>>> >>>>>>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17 >>>>>>> .jar >>>>>>> >>>>>>> We haven't received any information from IBM yet under a Sev1 >>>>>>> ticket, But as per Support Team this recent vulnerability >>>>>>> CVE-2021-44228 is still being investigated. >>>>>>> >>>>>>> Does any one has any idea ? remediation ? >>>>>>> >>>>>>> Since vulnerability CVE-2021-44228 treated as Critical, We are >>>>>>> proceeding with removing file directly from all Linux servers. >>>>>>> >>>>>>> Best Regards, >>>>>>> _____________________________________________ >>>>>>> Venu Bommasani >>>>>>> Storage & Data Protection >>>>>>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< >>>>> mailto:venu.bommas...@capgemini.com> >>>>>>> This message contains information that may be privileged or >>>>>>> confidential and is the property of the Capgemini Group. It is >>>>>>> intended only for the person to whom it is addressed. If you are >>>>>>> not the intended recipient, you are not authorized to read, print, >>>>>>> retain, copy, disseminate, distribute, or use this message or any >>>>>>> part thereof. If you receive this message in error, please notify >>>>>>> the sender immediately and delete all copies of this message. >>> >>> -- >>> *Zoltan Forray* >>> Backup Systems Administrator >>> VMware Administrator >>> Virginia Commonwealth University >>> UCC/Office of Technology Services >>> www.ucc.vcu.edu >>> zfor...@vcu.edu - 804-828-4807 >>> Don't be a phishing victim - VCU and other reputable organizations >>> will never use email to request that you reply with your password, >>> social security number or confidential personal information. For more >>> details visithttp://phishing.vcu.edu/ >>> <https://adminmicro2.questionpro.com> >>> >> > > > -- > *Zoltan Forray* > Backup Systems Administrator > VMware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > www.ucc.vcu.edu > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details > visit http://phishing.vcu.edu/ > <https://adminmicro2.questionpro.com>
