Hello,
Currently this is the safest way to fix that problem (in my opinion):

  zip -q -d log4j-core-2.nn.n.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

The Log4J v1.x does also have a problem:

CVE-2019-17571 and CVE-2017-5645
The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645.

RHEL/CentOS has a fixed 1.2.17:

log4j-1.2.17-16.el7_4.src.rpm
log4j-1.2.17-16.el7_4.noarch.rpm


Bye
  Rainer

On 15.12.2021 15:01, Zoltan Forray wrote:
It's a moving target.  They just announced a second vulnerability and have
released 2.16.  I would not be surprised they find more!

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl <
alexander.hei...@generali.com> wrote:

that's correct.

for me it's just a workaround until IBM provides a fix for it.

8.1.12 and 8.1.13: both use 2.13.3.

Regards,
Alex Heindl




Von:    "Rainer Tammer"<t...@spg.schulergroup.com>
An:ADSM-L@VM.MARIST.EDU
Datum:  15.12.2021 11:20
Betreff:        [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact
on SP client with security vulnerability: CVE-2021-44228
Gesendet von:   "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>








Hello,
You have to be careful with that. The switch does only work if Log4J is
2.10 or higher.

Bye
    Rainer

On 15.12.2021 10:29, Alexander Heindl wrote:
What I did on Windows with ISP Client 8.1.12, Webrestore installed and
running:

add the last line (-Dlog4j2.formatMsgNoLookups=true) in
C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so
that it looks like this:
--------------8<------------------------------
#Thu Oct 30 15:00:51 PDT 2014
-Dcom.ibm.jsse2.sp800-131=transition
-Dlog4j2.formatMsgNoLookups=true
--------------8<------------------------------

then restart "IBMWebserver"

Regards,
Alex Heindl




Von:    "Rainer Tammer"<t...@spg.schulergroup.com>
An:ADSM-L@VM.MARIST.EDU
Datum:  15.12.2021 08:31
Betreff:        [EXTERNAL] Re: [ADSM-L] Any impact on SP client with
security vulnerability: CVE-2021-44228
Gesendet von:   "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>








Hello,
We are also waiting for the fixes. The problem is quite obvious.
The risk is high, and there are currently no official fixes/mitigations.

Changing Java parameters/setting environment variables for log4j >= 2.10
might be tricky.
It could be hard to find all necessary places....

We will try the following fix on OC and on the client.

Sample "fix" for log4j-core-2.13.3.gar included in the client:

     zip -q -d log4j-core-2.13.3.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

NOTE: The application using this library must be restarted completely
after the change.
NOTE: This may pose problems in a FIPS environment.
NOTE: The problematic Java archive may be inside buried in a .war file,
in this case the .war must be refreshed with a changed
log4j-core-nnn.jar.
*Anny comments?*

Bye
     Rainer

On 13.12.2021 12:25, Del Hoobler wrote:
Please watch this page:


https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

IBM is actively working on a this.

Del

----------------------------------------------------


"ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>    wrote on 12/12/2021
01:31:46 AM:

From: "Bommasani, Venu"<venu.bommas...@capgemini.com>
To:ADSM-L@VM.MARIST.EDU
Date: 12/12/2021 01:32 AM
Subject: [EXTERNAL] Any impact on SP client with security
vulnerability: CVE-2021-44228
Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>

Hello All,

Our security Team reported below file as vulnerability with
reference of CVE-2021-44228 on Linux servers.

/opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar

We haven't received any information from IBM yet under a Sev1
ticket, But as per Support Team this recent vulnerability
CVE-2021-44228 is still being investigated.

Does any one has any idea ? remediation ?

Since vulnerability CVE-2021-44228  treated as Critical, We are
proceeding with removing file directly from all Linux servers.

Best Regards,
_____________________________________________
Venu Bommasani
Storage & Data Protection
Mobile: +91 7795213309 /venu.bommas...@capgemini.com<
mailto:venu.bommas...@capgemini.com>
This message contains information that may be privileged or
confidential and is the property of the Capgemini Group. It is
intended only for the person to whom it is addressed. If you are not
the intended recipient, you are not authorized to read, print,
retain, copy, disseminate, distribute, or use this message or any
part thereof. If you receive this message in error, please notify
the sender immediately and delete all copies of this message.

--
*Zoltan Forray*
Backup Systems Administrator
VMware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
www.ucc.vcu.edu
zfor...@vcu.edu  - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visithttp://phishing.vcu.edu/
<https://adminmicro2.questionpro.com>

Reply via email to