Unfortunately, the 8.1.13.1 update of the Backup-Archive client only
addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080)
and not CVE-2021-45046.  So I guess there is an 8.1.13.2 on the horizon?

On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber <uwe.h.schrei...@t-online.de>
wrote:

> Hello,
>
> IBM release Workarounds for several ISP components
>
> IBM Spectrum Protect Client web user interface
> Affected versions:
> 8.1.7.0-8.1.13.0 (Linux and Windows)
> 8.1.9.0-8.1.13.0 (AIX)
>
>
> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E
>
> -------------------
>
> IBM Spectrum Protetct for Virtual Environments: DP for VMware
> Affected versions:
> 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above)
> 7.1.0.0-7.1.8.12
>
>
> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E
>
> -------------------
>
> IBM Spectrum Protetct for Virtual Environments: DP for HyperV
> Affected versions:
> 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above)
>
>
> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E
>
> -------------------
>
> IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes
> IBM Spectrum Protect Plus Container Backup and Restore for OpenShift
> Affected versions:
> 10.1.9
>
>
> https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E
>
> -------------------
>
> IBM Spectrum Protect Operations Center
> Affected versions:
> 8.1.0.000-8.1.13.000
> 7.1.0.000-7.1.14.000
>
>
> https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E
>
>
> Regards, Uwe
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager <ADSM-L@VM.MARIST.EDU> On Behalf Of Rainer
> Tammer
> Sent: Donnerstag, 16. Dezember 2021 08:22
> To: ADSM-L@VM.MARIST.EDU
> Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any
> impact on SP client with security vulnerability: CVE-2021-44228
>
> Hello,
> Currently this is the safest way to fix that problem (in my opinion):
>
>    zip -q -d log4j-core-2.nn.n.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
> The Log4J v1.x does also have a problem:
>
> CVE-2019-17571 and CVE-2017-5645
> The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645.
>
> RHEL/CentOS has a fixed 1.2.17:
>
> log4j-1.2.17-16.el7_4.src.rpm
> log4j-1.2.17-16.el7_4.noarch.rpm
>
>
> Bye
>    Rainer
>
> On 15.12.2021 15:01, Zoltan Forray wrote:
> > It's a moving target.  They just announced a second vulnerability and
> > have released 2.16.  I would not be surprised they find more!
> >
> > https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-
> > log4j-2-16-0-released/
> >
> > On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl <
> > alexander.hei...@generali.com> wrote:
> >
> >> that's correct.
> >>
> >> for me it's just a workaround until IBM provides a fix for it.
> >>
> >> 8.1.12 and 8.1.13: both use 2.13.3.
> >>
> >> Regards,
> >> Alex Heindl
> >>
> >>
> >>
> >>
> >> Von:    "Rainer Tammer"<t...@spg.schulergroup.com>
> >> An:ADSM-L@VM.MARIST.EDU
> >> Datum:  15.12.2021 11:20
> >> Betreff:        [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact
> >> on SP client with security vulnerability: CVE-2021-44228
> >> Gesendet von:   "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Hello,
> >> You have to be careful with that. The switch does only work if Log4J
> >> is
> >> 2.10 or higher.
> >>
> >> Bye
> >>     Rainer
> >>
> >> On 15.12.2021 10:29, Alexander Heindl wrote:
> >>> What I did on Windows with ISP Client 8.1.12, Webrestore installed
> >>> and
> >>> running:
> >>>
> >>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in
> >>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options,
> >>> so that it looks like this:
> >>> --------------8<------------------------------
> >>> #Thu Oct 30 15:00:51 PDT 2014
> >>> -Dcom.ibm.jsse2.sp800-131=transition
> >>> -Dlog4j2.formatMsgNoLookups=true
> >>> --------------8<------------------------------
> >>>
> >>> then restart "IBMWebserver"
> >>>
> >>> Regards,
> >>> Alex Heindl
> >>>
> >>>
> >>>
> >>>
> >>> Von:    "Rainer Tammer"<t...@spg.schulergroup.com>
> >>> An:ADSM-L@VM.MARIST.EDU
> >>> Datum:  15.12.2021 08:31
> >>> Betreff:        [EXTERNAL] Re: [ADSM-L] Any impact on SP client with
> >>> security vulnerability: CVE-2021-44228
> >>> Gesendet von:   "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Hello,
> >>> We are also waiting for the fixes. The problem is quite obvious.
> >>> The risk is high, and there are currently no official
> fixes/mitigations.
> >>>
> >>> Changing Java parameters/setting environment variables for log4j >=
> >>> 2.10 might be tricky.
> >>> It could be hard to find all necessary places....
> >>>
> >>> We will try the following fix on OC and on the client.
> >>>
> >>> Sample "fix" for log4j-core-2.13.3.gar included in the client:
> >>>
> >>>      zip -q -d log4j-core-2.13.3.jar
> >>> org/apache/logging/log4j/core/lookup/JndiLookup.class
> >>>
> >>> NOTE: The application using this library must be restarted
> >>> completely after the change.
> >>> NOTE: This may pose problems in a FIPS environment.
> >>> NOTE: The problematic Java archive may be inside buried in a .war
> >>> file, in this case the .war must be refreshed with a changed
> >> log4j-core-nnn.jar.
> >>> *Anny comments?*
> >>>
> >>> Bye
> >>>      Rainer
> >>>
> >>> On 13.12.2021 12:25, Del Hoobler wrote:
> >>>> Please watch this page:
> >>>>
> >>>>
> >> https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-202
> >> 1-44228-vulnerability/
> >>
> >>>> IBM is actively working on a this.
> >>>>
> >>>> Del
> >>>>
> >>>> ----------------------------------------------------
> >>>>
> >>>>
> >>>> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>    wrote on
> 12/12/2021
> >>>> 01:31:46 AM:
> >>>>
> >>>>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com>
> >>>>> To:ADSM-L@VM.MARIST.EDU
> >>>>> Date: 12/12/2021 01:32 AM
> >>>>> Subject: [EXTERNAL] Any impact on SP client with security
> >>>>> vulnerability: CVE-2021-44228
> >>>>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU>
> >>>>>
> >>>>> Hello All,
> >>>>>
> >>>>> Our security Team reported below file as vulnerability with
> >>>>> reference of CVE-2021-44228 on Linux servers.
> >>>>>
> >>>>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17
> >>>>> .jar
> >>>>>
> >>>>> We haven't received any information from IBM yet under a Sev1
> >>>>> ticket, But as per Support Team this recent vulnerability
> >>>>> CVE-2021-44228 is still being investigated.
> >>>>>
> >>>>> Does any one has any idea ? remediation ?
> >>>>>
> >>>>> Since vulnerability CVE-2021-44228  treated as Critical, We are
> >>>>> proceeding with removing file directly from all Linux servers.
> >>>>>
> >>>>> Best Regards,
> >>>>> _____________________________________________
> >>>>> Venu Bommasani
> >>>>> Storage & Data Protection
> >>>>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com<
> >>> mailto:venu.bommas...@capgemini.com>
> >>>>> This message contains information that may be privileged or
> >>>>> confidential and is the property of the Capgemini Group. It is
> >>>>> intended only for the person to whom it is addressed. If you are
> >>>>> not the intended recipient, you are not authorized to read, print,
> >>>>> retain, copy, disseminate, distribute, or use this message or any
> >>>>> part thereof. If you receive this message in error, please notify
> >>>>> the sender immediately and delete all copies of this message.
> >
> > --
> > *Zoltan Forray*
> > Backup Systems Administrator
> > VMware Administrator
> > Virginia Commonwealth University
> > UCC/Office of Technology Services
> > www.ucc.vcu.edu
> > zfor...@vcu.edu  - 804-828-4807
> > Don't be a phishing victim - VCU and other reputable organizations
> > will never use email to request that you reply with your password,
> > social security number or confidential personal information. For more
> > details visithttp://phishing.vcu.edu/
> > <https://adminmicro2.questionpro.com>
> >
>


--
*Zoltan Forray*
Backup Systems Administrator
VMware Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
www.ucc.vcu.edu
zfor...@vcu.edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://phishing.vcu.edu/
<https://adminmicro2.questionpro.com>

Reply via email to