Hello,

IBM release Workarounds for several ISP components

IBM Spectrum Protect Client web user interface
Affected versions:
8.1.7.0-8.1.13.0 (Linux and Windows)            
8.1.9.0-8.1.13.0 (AIX)  

https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E

-------------------

IBM Spectrum Protetct for Virtual Environments: DP for VMware
Affected versions:
8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above)
7.1.0.0-7.1.8.12        

https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E

-------------------

IBM Spectrum Protetct for Virtual Environments: DP for HyperV
Affected versions:
8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above)

https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E

-------------------

IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes
IBM Spectrum Protect Plus Container Backup and Restore for OpenShift
Affected versions:
10.1.9

https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E

-------------------

IBM Spectrum Protect Operations Center
Affected versions:
8.1.0.000-8.1.13.000
7.1.0.000-7.1.14.000    

https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E


Regards, Uwe

-----Original Message-----
From: ADSM: Dist Stor Manager <ADSM-L@VM.MARIST.EDU> On Behalf Of Rainer Tammer
Sent: Donnerstag, 16. Dezember 2021 08:22
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on 
SP client with security vulnerability: CVE-2021-44228

Hello,
Currently this is the safest way to fix that problem (in my opinion):

   zip -q -d log4j-core-2.nn.n.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

The Log4J v1.x does also have a problem:

CVE-2019-17571 and CVE-2017-5645
The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645.

RHEL/CentOS has a fixed 1.2.17:

log4j-1.2.17-16.el7_4.src.rpm
log4j-1.2.17-16.el7_4.noarch.rpm


Bye
   Rainer

On 15.12.2021 15:01, Zoltan Forray wrote:
> It's a moving target.  They just announced a second vulnerability and 
> have released 2.16.  I would not be surprised they find more!
>
> https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-
> log4j-2-16-0-released/
>
> On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < 
> alexander.hei...@generali.com> wrote:
>
>> that's correct.
>>
>> for me it's just a workaround until IBM provides a fix for it.
>>
>> 8.1.12 and 8.1.13: both use 2.13.3.
>>
>> Regards,
>> Alex Heindl
>>
>>
>>
>>
>> Von:    "Rainer Tammer"<t...@spg.schulergroup.com>
>> An:ADSM-L@VM.MARIST.EDU
>> Datum:  15.12.2021 11:20
>> Betreff:        [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact
>> on SP client with security vulnerability: CVE-2021-44228
>> Gesendet von:   "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello,
>> You have to be careful with that. The switch does only work if Log4J 
>> is
>> 2.10 or higher.
>>
>> Bye
>>     Rainer
>>
>> On 15.12.2021 10:29, Alexander Heindl wrote:
>>> What I did on Windows with ISP Client 8.1.12, Webrestore installed 
>>> and
>>> running:
>>>
>>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in 
>>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, 
>>> so that it looks like this:
>>> --------------8<------------------------------
>>> #Thu Oct 30 15:00:51 PDT 2014
>>> -Dcom.ibm.jsse2.sp800-131=transition
>>> -Dlog4j2.formatMsgNoLookups=true
>>> --------------8<------------------------------
>>>
>>> then restart "IBMWebserver"
>>>
>>> Regards,
>>> Alex Heindl
>>>
>>>
>>>
>>>
>>> Von:    "Rainer Tammer"<t...@spg.schulergroup.com>
>>> An:ADSM-L@VM.MARIST.EDU
>>> Datum:  15.12.2021 08:31
>>> Betreff:        [EXTERNAL] Re: [ADSM-L] Any impact on SP client with
>>> security vulnerability: CVE-2021-44228
>>> Gesendet von:   "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hello,
>>> We are also waiting for the fixes. The problem is quite obvious.
>>> The risk is high, and there are currently no official fixes/mitigations.
>>>
>>> Changing Java parameters/setting environment variables for log4j >= 
>>> 2.10 might be tricky.
>>> It could be hard to find all necessary places....
>>>
>>> We will try the following fix on OC and on the client.
>>>
>>> Sample "fix" for log4j-core-2.13.3.gar included in the client:
>>>
>>>      zip -q -d log4j-core-2.13.3.jar 
>>> org/apache/logging/log4j/core/lookup/JndiLookup.class
>>>
>>> NOTE: The application using this library must be restarted 
>>> completely after the change.
>>> NOTE: This may pose problems in a FIPS environment.
>>> NOTE: The problematic Java archive may be inside buried in a .war 
>>> file, in this case the .war must be refreshed with a changed
>> log4j-core-nnn.jar.
>>> *Anny comments?*
>>>
>>> Bye
>>>      Rainer
>>>
>>> On 13.12.2021 12:25, Del Hoobler wrote:
>>>> Please watch this page:
>>>>
>>>>
>> https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-202
>> 1-44228-vulnerability/
>>
>>>> IBM is actively working on a this.
>>>>
>>>> Del
>>>>
>>>> ----------------------------------------------------
>>>>
>>>>
>>>> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>    wrote on 12/12/2021
>>>> 01:31:46 AM:
>>>>
>>>>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com>
>>>>> To:ADSM-L@VM.MARIST.EDU
>>>>> Date: 12/12/2021 01:32 AM
>>>>> Subject: [EXTERNAL] Any impact on SP client with security
>>>>> vulnerability: CVE-2021-44228
>>>>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
>>>>>
>>>>> Hello All,
>>>>>
>>>>> Our security Team reported below file as vulnerability with 
>>>>> reference of CVE-2021-44228 on Linux servers.
>>>>>
>>>>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17
>>>>> .jar
>>>>>
>>>>> We haven't received any information from IBM yet under a Sev1 
>>>>> ticket, But as per Support Team this recent vulnerability
>>>>> CVE-2021-44228 is still being investigated.
>>>>>
>>>>> Does any one has any idea ? remediation ?
>>>>>
>>>>> Since vulnerability CVE-2021-44228  treated as Critical, We are 
>>>>> proceeding with removing file directly from all Linux servers.
>>>>>
>>>>> Best Regards,
>>>>> _____________________________________________
>>>>> Venu Bommasani
>>>>> Storage & Data Protection
>>>>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com<
>>> mailto:venu.bommas...@capgemini.com>
>>>>> This message contains information that may be privileged or 
>>>>> confidential and is the property of the Capgemini Group. It is 
>>>>> intended only for the person to whom it is addressed. If you are 
>>>>> not the intended recipient, you are not authorized to read, print, 
>>>>> retain, copy, disseminate, distribute, or use this message or any 
>>>>> part thereof. If you receive this message in error, please notify 
>>>>> the sender immediately and delete all copies of this message.
>
> --
> *Zoltan Forray*
> Backup Systems Administrator
> VMware Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> www.ucc.vcu.edu
> zfor...@vcu.edu  - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations 
> will never use email to request that you reply with your password, 
> social security number or confidential personal information. For more 
> details visithttp://phishing.vcu.edu/ 
> <https://adminmicro2.questionpro.com>
>

Reply via email to