It's a moving target. They just announced a second vulnerability and have released 2.16. I would not be surprised they find more!
https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/ On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < alexander.hei...@generali.com> wrote: > that's correct. > > for me it's just a workaround until IBM provides a fix for it. > > 8.1.12 and 8.1.13: both use 2.13.3. > > Regards, > Alex Heindl > > > > > Von: "Rainer Tammer" <t...@spg.schulergroup.com> > An: ADSM-L@VM.MARIST.EDU > Datum: 15.12.2021 11:20 > Betreff: [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact > on SP client with security vulnerability: CVE-2021-44228 > Gesendet von: "ADSM: Dist Stor Manager" <ADSM-L@VM.MARIST.EDU> > > > > > > > > > Hello, > You have to be careful with that. The switch does only work if Log4J is > 2.10 or higher. > > Bye > Rainer > > On 15.12.2021 10:29, Alexander Heindl wrote: > > What I did on Windows with ISP Client 8.1.12, Webrestore installed and > > running: > > > > add the last line (-Dlog4j2.formatMsgNoLookups=true) in > > C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so > > that it looks like this: > > --------------8<------------------------------ > > #Thu Oct 30 15:00:51 PDT 2014 > > -Dcom.ibm.jsse2.sp800-131=transition > > -Dlog4j2.formatMsgNoLookups=true > > --------------8<------------------------------ > > > > then restart "IBMWebserver" > > > > Regards, > > Alex Heindl > > > > > > > > > > Von: "Rainer Tammer"<t...@spg.schulergroup.com> > > An:ADSM-L@VM.MARIST.EDU > > Datum: 15.12.2021 08:31 > > Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with > > security vulnerability: CVE-2021-44228 > > Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > > > > > > > > > > > > > > > > > > Hello, > > We are also waiting for the fixes. The problem is quite obvious. > > The risk is high, and there are currently no official fixes/mitigations. > > > > Changing Java parameters/setting environment variables for log4j >= 2.10 > > might be tricky. > > It could be hard to find all necessary places.... > > > > We will try the following fix on OC and on the client. > > > > Sample "fix" for log4j-core-2.13.3.gar included in the client: > > > > zip -q -d log4j-core-2.13.3.jar > > org/apache/logging/log4j/core/lookup/JndiLookup.class > > > > NOTE: The application using this library must be restarted completely > > after the change. > > NOTE: This may pose problems in a FIPS environment. > > NOTE: The problematic Java archive may be inside buried in a .war file, > > in this case the .war must be refreshed with a changed > log4j-core-nnn.jar. > > > > *Anny comments?* > > > > Bye > > Rainer > > > > On 13.12.2021 12:25, Del Hoobler wrote: > >> Please watch this page: > >> > >> > > > > https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ > > > > >> IBM is actively working on a this. > >> > >> Del > >> > >> ---------------------------------------------------- > >> > >> > >> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on 12/12/2021 > >> 01:31:46 AM: > >> > >>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> > >>> To:ADSM-L@VM.MARIST.EDU > >>> Date: 12/12/2021 01:32 AM > >>> Subject: [EXTERNAL] Any impact on SP client with security > >>> vulnerability: CVE-2021-44228 > >>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >>> > >>> Hello All, > >>> > >>> Our security Team reported below file as vulnerability with > >>> reference of CVE-2021-44228 on Linux servers. > >>> > >>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar > >>> > >>> We haven't received any information from IBM yet under a Sev1 > >>> ticket, But as per Support Team this recent vulnerability > >>> CVE-2021-44228 is still being investigated. > >>> > >>> Does any one has any idea ? remediation ? > >>> > >>> Since vulnerability CVE-2021-44228 treated as Critical, We are > >>> proceeding with removing file directly from all Linux servers. > >>> > >>> Best Regards, > >>> _____________________________________________ > >>> Venu Bommasani > >>> Storage & Data Protection > >>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< > > mailto:venu.bommas...@capgemini.com> > >>> This message contains information that may be privileged or > >>> confidential and is the property of the Capgemini Group. It is > >>> intended only for the person to whom it is addressed. If you are not > >>> the intended recipient, you are not authorized to read, print, > >>> retain, copy, disseminate, distribute, or use this message or any > >>> part thereof. If you receive this message in error, please notify > >>> the sender immediately and delete all copies of this message. > -- *Zoltan Forray* Backup Systems Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ <https://adminmicro2.questionpro.com>
