Unfortunately, the 8.1.13.1 update of the Backup-Archive client only addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080) and not CVE-2021-45046. So I guess there is an 8.1.13.2 on the horizon?
On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber <uwe.h.schrei...@t-online.de> wrote: > Hello, > > IBM release Workarounds for several ISP components > > IBM Spectrum Protect Client web user interface > Affected versions: > 8.1.7.0-8.1.13.0 (Linux and Windows) > 8.1.9.0-8.1.13.0 (AIX) > > > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > > ------------------- > > IBM Spectrum Protetct for Virtual Environments: DP for VMware > Affected versions: > 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > 7.1.0.0-7.1.8.12 > > > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > > ------------------- > > IBM Spectrum Protetct for Virtual Environments: DP for HyperV > Affected versions: > 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > > > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > > ------------------- > > IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes > IBM Spectrum Protect Plus Container Backup and Restore for OpenShift > Affected versions: > 10.1.9 > > > https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E > > ------------------- > > IBM Spectrum Protect Operations Center > Affected versions: > 8.1.0.000-8.1.13.000 > 7.1.0.000-7.1.14.000 > > > https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E > > > Regards, Uwe > > -----Original Message----- > From: ADSM: Dist Stor Manager <ADSM-L@VM.MARIST.EDU> On Behalf Of Rainer > Tammer > Sent: Donnerstag, 16. Dezember 2021 08:22 > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any > impact on SP client with security vulnerability: CVE-2021-44228 > > Hello, > Currently this is the safest way to fix that problem (in my opinion): > > zip -q -d log4j-core-2.nn.n.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > The Log4J v1.x does also have a problem: > > CVE-2019-17571 and CVE-2017-5645 > The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. > > RHEL/CentOS has a fixed 1.2.17: > > log4j-1.2.17-16.el7_4.src.rpm > log4j-1.2.17-16.el7_4.noarch.rpm > > > Bye > Rainer > > On 15.12.2021 15:01, Zoltan Forray wrote: > > It's a moving target. They just announced a second vulnerability and > > have released 2.16. I would not be surprised they find more! > > > > https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- > > log4j-2-16-0-released/ > > > > On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < > > alexander.hei...@generali.com> wrote: > > > >> that's correct. > >> > >> for me it's just a workaround until IBM provides a fix for it. > >> > >> 8.1.12 and 8.1.13: both use 2.13.3. > >> > >> Regards, > >> Alex Heindl > >> > >> > >> > >> > >> Von: "Rainer Tammer"<t...@spg.schulergroup.com> > >> An:ADSM-L@VM.MARIST.EDU > >> Datum: 15.12.2021 11:20 > >> Betreff: [EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact > >> on SP client with security vulnerability: CVE-2021-44228 > >> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >> > >> > >> > >> > >> > >> > >> > >> > >> Hello, > >> You have to be careful with that. The switch does only work if Log4J > >> is > >> 2.10 or higher. > >> > >> Bye > >> Rainer > >> > >> On 15.12.2021 10:29, Alexander Heindl wrote: > >>> What I did on Windows with ISP Client 8.1.12, Webrestore installed > >>> and > >>> running: > >>> > >>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in > >>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, > >>> so that it looks like this: > >>> --------------8<------------------------------ > >>> #Thu Oct 30 15:00:51 PDT 2014 > >>> -Dcom.ibm.jsse2.sp800-131=transition > >>> -Dlog4j2.formatMsgNoLookups=true > >>> --------------8<------------------------------ > >>> > >>> then restart "IBMWebserver" > >>> > >>> Regards, > >>> Alex Heindl > >>> > >>> > >>> > >>> > >>> Von: "Rainer Tammer"<t...@spg.schulergroup.com> > >>> An:ADSM-L@VM.MARIST.EDU > >>> Datum: 15.12.2021 08:31 > >>> Betreff: [EXTERNAL] Re: [ADSM-L] Any impact on SP client with > >>> security vulnerability: CVE-2021-44228 > >>> Gesendet von: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> Hello, > >>> We are also waiting for the fixes. The problem is quite obvious. > >>> The risk is high, and there are currently no official > fixes/mitigations. > >>> > >>> Changing Java parameters/setting environment variables for log4j >= > >>> 2.10 might be tricky. > >>> It could be hard to find all necessary places.... > >>> > >>> We will try the following fix on OC and on the client. > >>> > >>> Sample "fix" for log4j-core-2.13.3.gar included in the client: > >>> > >>> zip -q -d log4j-core-2.13.3.jar > >>> org/apache/logging/log4j/core/lookup/JndiLookup.class > >>> > >>> NOTE: The application using this library must be restarted > >>> completely after the change. > >>> NOTE: This may pose problems in a FIPS environment. > >>> NOTE: The problematic Java archive may be inside buried in a .war > >>> file, in this case the .war must be refreshed with a changed > >> log4j-core-nnn.jar. > >>> *Anny comments?* > >>> > >>> Bye > >>> Rainer > >>> > >>> On 13.12.2021 12:25, Del Hoobler wrote: > >>>> Please watch this page: > >>>> > >>>> > >> https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-202 > >> 1-44228-vulnerability/ > >> > >>>> IBM is actively working on a this. > >>>> > >>>> Del > >>>> > >>>> ---------------------------------------------------- > >>>> > >>>> > >>>> "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> wrote on > 12/12/2021 > >>>> 01:31:46 AM: > >>>> > >>>>> From: "Bommasani, Venu"<venu.bommas...@capgemini.com> > >>>>> To:ADSM-L@VM.MARIST.EDU > >>>>> Date: 12/12/2021 01:32 AM > >>>>> Subject: [EXTERNAL] Any impact on SP client with security > >>>>> vulnerability: CVE-2021-44228 > >>>>> Sent by: "ADSM: Dist Stor Manager"<ADSM-L@VM.MARIST.EDU> > >>>>> > >>>>> Hello All, > >>>>> > >>>>> Our security Team reported below file as vulnerability with > >>>>> reference of CVE-2021-44228 on Linux servers. > >>>>> > >>>>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17 > >>>>> .jar > >>>>> > >>>>> We haven't received any information from IBM yet under a Sev1 > >>>>> ticket, But as per Support Team this recent vulnerability > >>>>> CVE-2021-44228 is still being investigated. > >>>>> > >>>>> Does any one has any idea ? remediation ? > >>>>> > >>>>> Since vulnerability CVE-2021-44228 treated as Critical, We are > >>>>> proceeding with removing file directly from all Linux servers. > >>>>> > >>>>> Best Regards, > >>>>> _____________________________________________ > >>>>> Venu Bommasani > >>>>> Storage & Data Protection > >>>>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< > >>> mailto:venu.bommas...@capgemini.com> > >>>>> This message contains information that may be privileged or > >>>>> confidential and is the property of the Capgemini Group. It is > >>>>> intended only for the person to whom it is addressed. If you are > >>>>> not the intended recipient, you are not authorized to read, print, > >>>>> retain, copy, disseminate, distribute, or use this message or any > >>>>> part thereof. If you receive this message in error, please notify > >>>>> the sender immediately and delete all copies of this message. > > > > -- > > *Zoltan Forray* > > Backup Systems Administrator > > VMware Administrator > > Virginia Commonwealth University > > UCC/Office of Technology Services > > www.ucc.vcu.edu > > zfor...@vcu.edu - 804-828-4807 > > Don't be a phishing victim - VCU and other reputable organizations > > will never use email to request that you reply with your password, > > social security number or confidential personal information. For more > > details visithttp://phishing.vcu.edu/ > > <https://adminmicro2.questionpro.com> > > > -- *Zoltan Forray* Backup Systems Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ <https://adminmicro2.questionpro.com>