Thank you for the update. I saw that and have downloaded the updated client.
On Wed, Jan 5, 2022 at 4:21 PM Uwe Schreiber <uwe.h.schrei...@t-online.de> wrote: > Hi Zoltan, > > B/A Client Version 8.1.13.2 is available, > which includes Log4j 2.17.0 > > > https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-virtual-environments-cve-2021-45105-cve-2021-45046 > > Regards, Uwe > > > Am 17.12.2021 um 17:54 schrieb Zoltan Forray <zfor...@vcu.edu>: > > > > Unfortunately, the 8.1.13.1 update of the Backup-Archive client only > > addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080 > ) > > and not CVE-2021-45046. So I guess there is an 8.1.13.2 on the horizon? > > > >> On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber < > uwe.h.schrei...@t-online.de> > >> wrote: > >> > >> Hello, > >> > >> IBM release Workarounds for several ISP components > >> > >> IBM Spectrum Protect Client web user interface > >> Affected versions: > >> 8.1.7.0-8.1.13.0 (Linux and Windows) > >> 8.1.9.0-8.1.13.0 (AIX) > >> > >> > >> > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > >> > >> ------------------- > >> > >> IBM Spectrum Protetct for Virtual Environments: DP for VMware > >> Affected versions: > >> 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > >> 7.1.0.0-7.1.8.12 > >> > >> > >> > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > >> > >> ------------------- > >> > >> IBM Spectrum Protetct for Virtual Environments: DP for HyperV > >> Affected versions: > >> 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > >> > >> > >> > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > >> > >> ------------------- > >> > >> IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes > >> IBM Spectrum Protect Plus Container Backup and Restore for OpenShift > >> Affected versions: > >> 10.1.9 > >> > >> > >> > https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E > >> > >> ------------------- > >> > >> IBM Spectrum Protect Operations Center > >> Affected versions: > >> 8.1.0.000-8.1.13.000 > >> 7.1.0.000-7.1.14.000 > >> > >> > >> > https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E > >> > >> > >> Regards, Uwe > >> > >> -----Original Message----- > >> From: ADSM: Dist Stor Manager <ADSM-L@VM.MARIST.EDU> On Behalf Of > Rainer > >> Tammer > >> Sent: Donnerstag, 16. Dezember 2021 08:22 > >> To: ADSM-L@VM.MARIST.EDU > >> Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any > >> impact on SP client with security vulnerability: CVE-2021-44228 > >> > >> Hello, > >> Currently this is the safest way to fix that problem (in my opinion): > >> > >> zip -q -d log4j-core-2.nn.n.jar > >> org/apache/logging/log4j/core/lookup/JndiLookup.class > >> > >> The Log4J v1.x does also have a problem: > >> > >> CVE-2019-17571 and CVE-2017-5645 > >> The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. > >> > >> RHEL/CentOS has a fixed 1.2.17: > >> > >> log4j-1.2.17-16.el7_4.src.rpm > >> log4j-1.2.17-16.el7_4.noarch.rpm > >> > >> > >> Bye > >> Rainer > >> > >>> On 15.12.2021 15:01, Zoltan Forray wrote: > >>> It's a moving target. They just announced a second vulnerability and > >>> have released 2.16. I would not be surprised they find more! > >>> > >>> https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- > >>> log4j-2-16-0-released/ > >>> > >>> On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < > >>> alexander.hei...@generali.com> wrote: > >>> > >>>> that's correct. > >>>> > >>>> for me it's just a workaround until IBM provides a fix for it. > >>>> > >>>> 8.1.12 and 8.1.13: both use 2.13.3. > >>>> > >>>> Regards, > >>>> Alex Heindl > >>>> > >>>> > >>>> > >>>> > >>>> Von: "Rainer Tammer"<t...@spg.schulergroup.com> > >>>> An:ADSM-L@VM.MARIST.EDU > >>>> Datum: 15.12.2021 11:20 > >>>> Betreff: [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any > impact > >>>> on SP client with security vulnerability: CVE-2021-44228 > >>>> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> Hello, > >>>> You have to be careful with that. The switch does only work if Log4J > >>>> is > >>>> 2.10 or higher. > >>>> > >>>> Bye > >>>> Rainer > >>>> > >>>> On 15.12.2021 10:29, Alexander Heindl wrote: > >>>>> What I did on Windows with ISP Client 8.1.12, Webrestore installed > >>>>> and > >>>>> running: > >>>>> > >>>>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in > >>>>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, > >>>>> so that it looks like this: > >>>>> --------------8<------------------------------ > >>>>> #Thu Oct 30 15:00:51 PDT 2014 > >>>>> -Dcom.ibm.jsse2.sp800-131=transition > >>>>> -Dlog4j2.formatMsgNoLookups=true > >>>>> --------------8<------------------------------ > >>>>> > >>>>> then restart "IBMWebserver" > >>>>> > >>>>> Regards, > >>>>> Alex Heindl > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Von: "Rainer Tammer"<t...@spg.schulergroup.com> > >>>>> An:ADSM-L@VM.MARIST.EDU > >>>>> Datum: 15.12.2021 08:31 > >>>>> Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with > >>>>> security vulnerability: CVE-2021-44228 > >>>>> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Hello, > >>>>> We are also waiting for the fixes. The problem is quite obvious. > >>>>> The risk is high, and there are currently no official > >> fixes/mitigations. > >>>>> > >>>>> Changing Java parameters/setting environment variables for log4j >= > >>>>> 2.10 might be tricky. > >>>>> It could be hard to find all necessary places.... > >>>>> > >>>>> We will try the following fix on OC and on the client. > >>>>> > >>>>> Sample "fix" for log4j-core-2.13.3.gar included in the client: > >>>>> > >>>>> zip -q -d log4j-core-2.13.3.jar > >>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class > >>>>> > >>>>> NOTE: The application using this library must be restarted > >>>>> completely after the change. > >>>>> NOTE: This may pose problems in a FIPS environment. > >>>>> NOTE: The problematic Java archive may be inside buried in a .war > >>>>> file, in this case the .war must be refreshed with a changed > >>>> log4j-core-nnn.jar. > >>>>> *Anny comments?* > >>>>> > >>>>> Bye > >>>>> Rainer > >>>>> > >>>>> On 13.12.2021 12:25, Del Hoobler wrote: > >>>>>> Please watch this page: > >>>>>> > >>>>>> > >>>> https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-202 > >>>> 1-44228-vulnerability/ > >>>> > >>>>>> IBM is actively working on a this. > >>>>>> > >>>>>> Del > >>>>>> > >>>>>> ---------------------------------------------------- > >>>>>> > >>>>>> > >>>>>> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on > >> 12/12/2021 > >>>>>> 01:31:46 AM: > >>>>>> > >>>>>>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> > >>>>>>> To:ADSM-L@VM.MARIST.EDU > >>>>>>> Date: 12/12/2021 01:32 AM > >>>>>>> Subject: [EXTERNAL] Any impact on SP client with security > >>>>>>> vulnerability: CVE-2021-44228 > >>>>>>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >>>>>>> > >>>>>>> Hello All, > >>>>>>> > >>>>>>> Our security Team reported below file as vulnerability with > >>>>>>> reference of CVE-2021-44228 on Linux servers. > >>>>>>> > >>>>>>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17 > >>>>>>> .jar > >>>>>>> > >>>>>>> We haven't received any information from IBM yet under a Sev1 > >>>>>>> ticket, But as per Support Team this recent vulnerability > >>>>>>> CVE-2021-44228 is still being investigated. > >>>>>>> > >>>>>>> Does any one has any idea ? remediation ? > >>>>>>> > >>>>>>> Since vulnerability CVE-2021-44228 treated as Critical, We are > >>>>>>> proceeding with removing file directly from all Linux servers. > >>>>>>> > >>>>>>> Best Regards, > >>>>>>> _____________________________________________ > >>>>>>> Venu Bommasani > >>>>>>> Storage & Data Protection > >>>>>>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< > >>>>> mailto:venu.bommas...@capgemini.com> > >>>>>>> This message contains information that may be privileged or > >>>>>>> confidential and is the property of the Capgemini Group. It is > >>>>>>> intended only for the person to whom it is addressed. If you are > >>>>>>> not the intended recipient, you are not authorized to read, print, > >>>>>>> retain, copy, disseminate, distribute, or use this message or any > >>>>>>> part thereof. If you receive this message in error, please notify > >>>>>>> the sender immediately and delete all copies of this message. > >>> > >>> -- > >>> *Zoltan Forray* > >>> Backup Systems Administrator > >>> VMware Administrator > >>> Virginia Commonwealth University > >>> UCC/Office of Technology Services > >>> www.ucc.vcu.edu > >>> zfor...@vcu.edu - 804-828-4807 > >>> Don't be a phishing victim - VCU and other reputable organizations > >>> will never use email to request that you reply with your password, > >>> social security number or confidential personal information. For more > >>> details visithttp://phishing.vcu.edu/ > >>> <https://adminmicro2.questionpro.com> > >>> > >> > > > > > > -- > > *Zoltan Forray* > > Backup Systems Administrator > > VMware Administrator > > Virginia Commonwealth University > > UCC/Office of Technology Services > > www.ucc.vcu.edu > > zfor...@vcu.edu - 804-828-4807 > > Don't be a phishing victim - VCU and other reputable organizations will > > never use email to request that you reply with your password, social > > security number or confidential personal information. For more details > > visit http://phishing.vcu.edu/ > > <https://adminmicro2.questionpro.com> > -- *Zoltan Forray* Backup Systems Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ <https://adminmicro2.questionpro.com>
