Hello, IBM release Workarounds for several ISP components
IBM Spectrum Protect Client web user interface Affected versions: 8.1.7.0-8.1.13.0 (Linux and Windows) 8.1.9.0-8.1.13.0 (AIX) https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E ------------------- IBM Spectrum Protetct for Virtual Environments: DP for VMware Affected versions: 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) 7.1.0.0-7.1.8.12 https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E ------------------- IBM Spectrum Protetct for Virtual Environments: DP for HyperV Affected versions: 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E ------------------- IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes IBM Spectrum Protect Plus Container Backup and Restore for OpenShift Affected versions: 10.1.9 https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E ------------------- IBM Spectrum Protect Operations Center Affected versions: 8.1.0.000-8.1.13.000 7.1.0.000-7.1.14.000 https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E Regards, Uwe -----Original Message----- From: ADSM: Dist Stor Manager <ADSM-L@VM.MARIST.EDU> On Behalf Of Rainer Tammer Sent: Donnerstag, 16. Dezember 2021 08:22 To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Hello, Currently this is the safest way to fix that problem (in my opinion): zip -q -d log4j-core-2.nn.n.jar org/apache/logging/log4j/core/lookup/JndiLookup.class The Log4J v1.x does also have a problem: CVE-2019-17571 and CVE-2017-5645 The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. RHEL/CentOS has a fixed 1.2.17: log4j-1.2.17-16.el7_4.src.rpm log4j-1.2.17-16.el7_4.noarch.rpm Bye Rainer On 15.12.2021 15:01, Zoltan Forray wrote: > It's a moving target. They just announced a second vulnerability and > have released 2.16. I would not be surprised they find more! > > https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- > log4j-2-16-0-released/ > > On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < > alexander.hei...@generali.com> wrote: > >> that's correct. >> >> for me it's just a workaround until IBM provides a fix for it. >> >> 8.1.12 and 8.1.13: both use 2.13.3. >> >> Regards, >> Alex Heindl >> >> >> >> >> Von: "Rainer Tammer"<t...@spg.schulergroup.com> >> An:ADSM-L@VM.MARIST.EDU >> Datum: 15.12.2021 11:20 >> Betreff: [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact >> on SP client with security vulnerability: CVE-2021-44228 >> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >> >> >> >> >> >> >> >> >> Hello, >> You have to be careful with that. The switch does only work if Log4J >> is >> 2.10 or higher. >> >> Bye >> Rainer >> >> On 15.12.2021 10:29, Alexander Heindl wrote: >>> What I did on Windows with ISP Client 8.1.12, Webrestore installed >>> and >>> running: >>> >>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in >>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, >>> so that it looks like this: >>> --------------8<------------------------------ >>> #Thu Oct 30 15:00:51 PDT 2014 >>> -Dcom.ibm.jsse2.sp800-131=transition >>> -Dlog4j2.formatMsgNoLookups=true >>> --------------8<------------------------------ >>> >>> then restart "IBMWebserver" >>> >>> Regards, >>> Alex Heindl >>> >>> >>> >>> >>> Von: "Rainer Tammer"<t...@spg.schulergroup.com> >>> An:ADSM-L@VM.MARIST.EDU >>> Datum: 15.12.2021 08:31 >>> Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with >>> security vulnerability: CVE-2021-44228 >>> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >>> >>> >>> >>> >>> >>> >>> >>> >>> Hello, >>> We are also waiting for the fixes. The problem is quite obvious. >>> The risk is high, and there are currently no official fixes/mitigations. >>> >>> Changing Java parameters/setting environment variables for log4j >= >>> 2.10 might be tricky. >>> It could be hard to find all necessary places.... >>> >>> We will try the following fix on OC and on the client. >>> >>> Sample "fix" for log4j-core-2.13.3.gar included in the client: >>> >>> zip -q -d log4j-core-2.13.3.jar >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> >>> NOTE: The application using this library must be restarted >>> completely after the change. >>> NOTE: This may pose problems in a FIPS environment. >>> NOTE: The problematic Java archive may be inside buried in a .war >>> file, in this case the .war must be refreshed with a changed >> log4j-core-nnn.jar. >>> *Anny comments?* >>> >>> Bye >>> Rainer >>> >>> On 13.12.2021 12:25, Del Hoobler wrote: >>>> Please watch this page: >>>> >>>> >> https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-202 >> 1-44228-vulnerability/ >> >>>> IBM is actively working on a this. >>>> >>>> Del >>>> >>>> ---------------------------------------------------- >>>> >>>> >>>> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on 12/12/2021 >>>> 01:31:46 AM: >>>> >>>>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> >>>>> To:ADSM-L@VM.MARIST.EDU >>>>> Date: 12/12/2021 01:32 AM >>>>> Subject: [EXTERNAL] Any impact on SP client with security >>>>> vulnerability: CVE-2021-44228 >>>>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> >>>>> >>>>> Hello All, >>>>> >>>>> Our security Team reported below file as vulnerability with >>>>> reference of CVE-2021-44228 on Linux servers. >>>>> >>>>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17 >>>>> .jar >>>>> >>>>> We haven't received any information from IBM yet under a Sev1 >>>>> ticket, But as per Support Team this recent vulnerability >>>>> CVE-2021-44228 is still being investigated. >>>>> >>>>> Does any one has any idea ? remediation ? >>>>> >>>>> Since vulnerability CVE-2021-44228 treated as Critical, We are >>>>> proceeding with removing file directly from all Linux servers. >>>>> >>>>> Best Regards, >>>>> _____________________________________________ >>>>> Venu Bommasani >>>>> Storage & Data Protection >>>>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< >>> mailto:venu.bommas...@capgemini.com> >>>>> This message contains information that may be privileged or >>>>> confidential and is the property of the Capgemini Group. It is >>>>> intended only for the person to whom it is addressed. If you are >>>>> not the intended recipient, you are not authorized to read, print, >>>>> retain, copy, disseminate, distribute, or use this message or any >>>>> part thereof. If you receive this message in error, please notify >>>>> the sender immediately and delete all copies of this message. > > -- > *Zoltan Forray* > Backup Systems Administrator > VMware Administrator > Virginia Commonwealth University > UCC/Office of Technology Services > www.ucc.vcu.edu > zfor...@vcu.edu - 804-828-4807 > Don't be a phishing victim - VCU and other reputable organizations > will never use email to request that you reply with your password, > social security number or confidential personal information. For more > details visithttp://phishing.vcu.edu/ > <https://adminmicro2.questionpro.com> >