that's correct. for me it's just a workaround until IBM provides a fix for it.
8.1.12 and 8.1.13: both use 2.13.3. Regards, Alex Heindl Von: "Rainer Tammer" <t...@spg.schulergroup.com> An: ADSM-L@VM.MARIST.EDU Datum: 15.12.2021 11:20 Betreff: [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Gesendet von: "ADSM: Dist Stor Manager" <ADSM-L@VM.MARIST.EDU> Hello, You have to be careful with that. The switch does only work if Log4J is 2.10 or higher. Bye Rainer On 15.12.2021 10:29, Alexander Heindl wrote: > What I did on Windows with ISP Client 8.1.12, Webrestore installed and > running: > > add the last line (-Dlog4j2.formatMsgNoLookups=true) in > C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so > that it looks like this: > --------------8<------------------------------ > #Thu Oct 30 15:00:51 PDT 2014 > -Dcom.ibm.jsse2.sp800-131=transition > -Dlog4j2.formatMsgNoLookups=true > --------------8<------------------------------ > > then restart "IBMWebserver" > > Regards, > Alex Heindl > > > > > Von: "Rainer Tammer"<t...@spg.schulergroup.com> > An:ADSM-L@VM.MARIST.EDU > Datum: 15.12.2021 08:31 > Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with > security vulnerability: CVE-2021-44228 > Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > > > > > > > > > Hello, > We are also waiting for the fixes. The problem is quite obvious. > The risk is high, and there are currently no official fixes/mitigations. > > Changing Java parameters/setting environment variables for log4j >= 2.10 > might be tricky. > It could be hard to find all necessary places.... > > We will try the following fix on OC and on the client. > > Sample "fix" for log4j-core-2.13.3.gar included in the client: > > zip -q -d log4j-core-2.13.3.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > NOTE: The application using this library must be restarted completely > after the change. > NOTE: This may pose problems in a FIPS environment. > NOTE: The problematic Java archive may be inside buried in a .war file, > in this case the .war must be refreshed with a changed log4j-core-nnn.jar. > > *Anny comments?* > > Bye > Rainer > > On 13.12.2021 12:25, Del Hoobler wrote: >> Please watch this page: >> >> > https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ > >> IBM is actively working on a this. >> >> Del >> >> ---------------------------------------------------- >> >> >> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on 12/12/2021 >> 01:31:46 AM: >> >>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> >>> To:ADSM-L@VM.MARIST.EDU >>> Date: 12/12/2021 01:32 AM >>> Subject: [EXTERNAL] Any impact on SP client with security >>> vulnerability: CVE-2021-44228 >>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >>> >>> Hello All, >>> >>> Our security Team reported below file as vulnerability with >>> reference of CVE-2021-44228 on Linux servers. >>> >>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar >>> >>> We haven't received any information from IBM yet under a Sev1 >>> ticket, But as per Support Team this recent vulnerability >>> CVE-2021-44228 is still being investigated. >>> >>> Does any one has any idea ? remediation ? >>> >>> Since vulnerability CVE-2021-44228 treated as Critical, We are >>> proceeding with removing file directly from all Linux servers. >>> >>> Best Regards, >>> _____________________________________________ >>> Venu Bommasani >>> Storage & Data Protection >>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< > mailto:venu.bommas...@capgemini.com> >>> This message contains information that may be privileged or >>> confidential and is the property of the Capgemini Group. It is >>> intended only for the person to whom it is addressed. If you are not >>> the intended recipient, you are not authorized to read, print, >>> retain, copy, disseminate, distribute, or use this message or any >>> part thereof. If you receive this message in error, please notify >>> the sender immediately and delete all copies of this message.
