Hello,
We are also waiting for the fixes. The problem is quite obvious.
The risk is high, and there are currently no official fixes/mitigations.
Changing Java parameters/setting environment variables for log4j >= 2.10
might be tricky.
It could be hard to find all necessary places....
We will try the following fix on OC and on the client.
Sample "fix" for log4j-core-2.13.3.gar included in the client:
zip -q -d log4j-core-2.13.3.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
NOTE: The application using this library must be restarted completely
after the change.
NOTE: This may pose problems in a FIPS environment.
NOTE: The problematic Java archive may be inside buried in a .war file,
in this case the .war must be refreshed with a changed log4j-core-nnn.jar.
*Anny comments?*
Bye
Rainer
On 13.12.2021 12:25, Del Hoobler wrote:
Please watch this page:
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
IBM is actively working on a this.
Del
----------------------------------------------------
"ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on 12/12/2021
01:31:46 AM:
From: "Bommasani, Venu"<venu.bommas...@capgemini.com>
To:ADSM-L@VM.MARIST.EDU
Date: 12/12/2021 01:32 AM
Subject: [EXTERNAL] Any impact on SP client with security
vulnerability: CVE-2021-44228
Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
Hello All,
Our security Team reported below file as vulnerability with
reference of CVE-2021-44228 on Linux servers.
/opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar
We haven't received any information from IBM yet under a Sev1
ticket, But as per Support Team this recent vulnerability
CVE-2021-44228 is still being investigated.
Does any one has any idea ? remediation ?
Since vulnerability CVE-2021-44228 treated as Critical, We are
proceeding with removing file directly from all Linux servers.
Best Regards,
_____________________________________________
Venu Bommasani
Storage & Data Protection
Mobile: +91 7795213309 /venu.bommas...@capgemini.com<
mailto:venu.bommas...@capgemini.com>
This message contains information that may be privileged or
confidential and is the property of the Capgemini Group. It is
intended only for the person to whom it is addressed. If you are not
the intended recipient, you are not authorized to read, print,
retain, copy, disseminate, distribute, or use this message or any
part thereof. If you receive this message in error, please notify
the sender immediately and delete all copies of this message.