Re: Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
Thank you for the update. I saw that and have downloaded the updated client. On Wed, Jan 5, 2022 at 4:21 PM Uwe Schreiber wrote: > Hi Zoltan, > > B/A Client Version 8.1.13.2 is available, > which includes Log4j 2.17.0 > > > https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-virtual-environments-cve-2021-45105-cve-2021-45046 > > Regards, Uwe > > > Am 17.12.2021 um 17:54 schrieb Zoltan Forray : > > > > Unfortunately, the 8.1.13.1 update of the Backup-Archive client only > > addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080 > ) > > and not CVE-2021-45046. So I guess there is an 8.1.13.2 on the horizon? > > > >> On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber < > uwe.h.schrei...@t-online.de> > >> wrote: > >> > >> Hello, > >> > >> IBM release Workarounds for several ISP components > >> > >> IBM Spectrum Protect Client web user interface > >> Affected versions: > >> 8.1.7.0-8.1.13.0 (Linux and Windows) > >> 8.1.9.0-8.1.13.0 (AIX) > >> > >> > >> > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > >> > >> --- > >> > >> IBM Spectrum Protetct for Virtual Environments: DP for VMware > >> Affected versions: > >> 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > >> 7.1.0.0-7.1.8.12 > >> > >> > >> > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > >> > >> --- > >> > >> IBM Spectrum Protetct for Virtual Environments: DP for HyperV > >> Affected versions: > >> 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > >> > >> > >> > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > >> > >> --- > >> > >> IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes > >> IBM Spectrum Protect Plus Container Backup and Restore for OpenShift > >> Affected versions: > >> 10.1.9 > >> > >> > >> > https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E > >> > >> ----------- > >> > >> IBM Spectrum Protect Operations Center > >> Affected versions: > >> 8.1.0.000-8.1.13.000 > >> 7.1.0.000-7.1.14.000 > >> > >> > >> > https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E > >> > >> > >> Regards, Uwe > >> > >> -Original Message- > >> From: ADSM: Dist Stor Manager On Behalf Of > Rainer > >> Tammer > >> Sent: Donnerstag, 16. Dezember 2021 08:22 > >> To: ADSM-L@VM.MARIST.EDU > >> Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any > >> impact on SP client with security vulnerability: CVE-2021-44228 > >> > >> Hello, > >> Currently this is the safest way to fix that problem (in my opinion): > >> > >> zip -q -d log4j-core-2.nn.n.jar > >> org/apache/logging/log4j/core/lookup/JndiLookup.class > >> > >> The Log4J v1.x does also have a problem: > >> > >> CVE-2019-17571 and CVE-2017-5645 > >> The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. > >> > >> RHEL/CentOS has a fixed 1.2.17: > >> > >> log4j-1.2.17-16.el7_4.src.rpm > >> log4j-1.2.17-16.el7_4.noarch.rpm > >> > >> > >> Bye > >> Rainer > >> > >>> On 15.12.2021 15:01, Zoltan Forray wrote: > >>> It's a moving target. They just announced a second vulnerability and > >>> have released 2.16. I would not be surprised they find more! > >>> > >>> https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- > >>> log4j-2-16-0-released/ > >>> > >>> On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < > >>> alexander.hei...@generali.com> wrote: > >>> > >>>> that's correct. > >>>> > >>>> for me it's just a workaround until IBM provides a fix for it. > >>>
Re: Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
Hi Zoltan, B/A Client Version 8.1.13.2 is available, which includes Log4j 2.17.0 https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-virtual-environments-cve-2021-45105-cve-2021-45046 Regards, Uwe > Am 17.12.2021 um 17:54 schrieb Zoltan Forray : > > Unfortunately, the 8.1.13.1 update of the Backup-Archive client only > addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080) > and not CVE-2021-45046. So I guess there is an 8.1.13.2 on the horizon? > >> On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber >> wrote: >> >> Hello, >> >> IBM release Workarounds for several ISP components >> >> IBM Spectrum Protect Client web user interface >> Affected versions: >> 8.1.7.0-8.1.13.0 (Linux and Windows) >> 8.1.9.0-8.1.13.0 (AIX) >> >> >> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E >> >> --- >> >> IBM Spectrum Protetct for Virtual Environments: DP for VMware >> Affected versions: >> 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) >> 7.1.0.0-7.1.8.12 >> >> >> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E >> >> --- >> >> IBM Spectrum Protetct for Virtual Environments: DP for HyperV >> Affected versions: >> 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) >> >> >> https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E >> >> --- >> >> IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes >> IBM Spectrum Protect Plus Container Backup and Restore for OpenShift >> Affected versions: >> 10.1.9 >> >> >> https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E >> >> --- >> >> IBM Spectrum Protect Operations Center >> Affected versions: >> 8.1.0.000-8.1.13.000 >> 7.1.0.000-7.1.14.000 >> >> >> https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E >> >> >> Regards, Uwe >> >> -Original Message- >> From: ADSM: Dist Stor Manager On Behalf Of Rainer >> Tammer >> Sent: Donnerstag, 16. Dezember 2021 08:22 >> To: ADSM-L@VM.MARIST.EDU >> Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any >> impact on SP client with security vulnerability: CVE-2021-44228 >> >> Hello, >> Currently this is the safest way to fix that problem (in my opinion): >> >> zip -q -d log4j-core-2.nn.n.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> >> The Log4J v1.x does also have a problem: >> >> CVE-2019-17571 and CVE-2017-5645 >> The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. >> >> RHEL/CentOS has a fixed 1.2.17: >> >> log4j-1.2.17-16.el7_4.src.rpm >> log4j-1.2.17-16.el7_4.noarch.rpm >> >> >> Bye >> Rainer >> >>> On 15.12.2021 15:01, Zoltan Forray wrote: >>> It's a moving target. They just announced a second vulnerability and >>> have released 2.16. I would not be surprised they find more! >>> >>> https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- >>> log4j-2-16-0-released/ >>> >>> On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < >>> alexander.hei...@generali.com> wrote: >>> >>>> that's correct. >>>> >>>> for me it's just a workaround until IBM provides a fix for it. >>>> >>>> 8.1.12 and 8.1.13: both use 2.13.3. >>>> >>>> Regards, >>>> Alex Heindl >>>> >>>> >>>> >>>> >>>> Von:"Rainer Tammer" >>>> An:ADSM-L@VM.MARIST.EDU >>>> Datum: 15.12.2021 11:20 >>>> Betreff:[EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact >>>> on SP client with security vulnerability: CVE-2021-44228 >>>> Gesendet von: "ADSM: Dist Stor Manager" >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Hello, >
Re: Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
Unfortunately, the 8.1.13.1 update of the Backup-Archive client only addresses CVE-2021-44228 (https://www.ibm.com/support/pages/node/6527080) and not CVE-2021-45046. So I guess there is an 8.1.13.2 on the horizon? On Thu, Dec 16, 2021 at 2:52 AM Uwe Schreiber wrote: > Hello, > > IBM release Workarounds for several ISP components > > IBM Spectrum Protect Client web user interface > Affected versions: > 8.1.7.0-8.1.13.0 (Linux and Windows) > 8.1.9.0-8.1.13.0 (AIX) > > > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > > --- > > IBM Spectrum Protetct for Virtual Environments: DP for VMware > Affected versions: > 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > 7.1.0.0-7.1.8.12 > > > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > > --- > > IBM Spectrum Protetct for Virtual Environments: DP for HyperV > Affected versions: > 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) > > > https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E > > --- > > IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes > IBM Spectrum Protect Plus Container Backup and Restore for OpenShift > Affected versions: > 10.1.9 > > > https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E > > --- > > IBM Spectrum Protect Operations Center > Affected versions: > 8.1.0.000-8.1.13.000 > 7.1.0.000-7.1.14.000 > > > https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E > > > Regards, Uwe > > -----Original Message- > From: ADSM: Dist Stor Manager On Behalf Of Rainer > Tammer > Sent: Donnerstag, 16. Dezember 2021 08:22 > To: ADSM-L@VM.MARIST.EDU > Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any > impact on SP client with security vulnerability: CVE-2021-44228 > > Hello, > Currently this is the safest way to fix that problem (in my opinion): > >zip -q -d log4j-core-2.nn.n.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > The Log4J v1.x does also have a problem: > > CVE-2019-17571 and CVE-2017-5645 > The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. > > RHEL/CentOS has a fixed 1.2.17: > > log4j-1.2.17-16.el7_4.src.rpm > log4j-1.2.17-16.el7_4.noarch.rpm > > > Bye >Rainer > > On 15.12.2021 15:01, Zoltan Forray wrote: > > It's a moving target. They just announced a second vulnerability and > > have released 2.16. I would not be surprised they find more! > > > > https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- > > log4j-2-16-0-released/ > > > > On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < > > alexander.hei...@generali.com> wrote: > > > >> that's correct. > >> > >> for me it's just a workaround until IBM provides a fix for it. > >> > >> 8.1.12 and 8.1.13: both use 2.13.3. > >> > >> Regards, > >> Alex Heindl > >> > >> > >> > >> > >> Von:"Rainer Tammer" > >> An:ADSM-L@VM.MARIST.EDU > >> Datum: 15.12.2021 11:20 > >> Betreff:[EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact > >> on SP client with security vulnerability: CVE-2021-44228 > >> Gesendet von: "ADSM: Dist Stor Manager" > >> > >> > >> > >> > >> > >> > >> > >> > >> Hello, > >> You have to be careful with that. The switch does only work if Log4J > >> is > >> 2.10 or higher. > >> > >> Bye > >> Rainer > >> > >> On 15.12.2021 10:29, Alexander Heindl wrote: > >>> What I did on Windows with ISP Client 8.1.12, Webrestore installed > >>> and > >>> running: > >>> > >>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in > >>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, > >>> so that it looks like this: > >>> --8<-- > >>> #Thu Oct 30 15:00:51 PDT 2014 > >>> -Dcom.ibm.jsse2.sp800-131=transition > >>> -Dlog4j2.formatMsgNoLookups=true > >>> --8<--
Re: Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
Hello, IBM release Workarounds for several ISP components IBM Spectrum Protect Client web user interface Affected versions: 8.1.7.0-8.1.13.0 (Linux and Windows) 8.1.9.0-8.1.13.0 (AIX) https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E --- IBM Spectrum Protetct for Virtual Environments: DP for VMware Affected versions: 8.1.0.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) 7.1.0.0-7.1.8.12 https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E --- IBM Spectrum Protetct for Virtual Environments: DP for HyperV Affected versions: 8.1.4.0-8.1.13.0 (and DataMover beginnen version 8.1.9 and above) https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E --- IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes IBM Spectrum Protect Plus Container Backup and Restore for OpenShift Affected versions: 10.1.9 https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E --- IBM Spectrum Protect Operations Center Affected versions: 8.1.0.000-8.1.13.000 7.1.0.000-7.1.14.000 https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E Regards, Uwe -Original Message- From: ADSM: Dist Stor Manager On Behalf Of Rainer Tammer Sent: Donnerstag, 16. Dezember 2021 08:22 To: ADSM-L@VM.MARIST.EDU Subject: Re: [ADSM-L] Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Hello, Currently this is the safest way to fix that problem (in my opinion): zip -q -d log4j-core-2.nn.n.jar org/apache/logging/log4j/core/lookup/JndiLookup.class The Log4J v1.x does also have a problem: CVE-2019-17571 and CVE-2017-5645 The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. RHEL/CentOS has a fixed 1.2.17: log4j-1.2.17-16.el7_4.src.rpm log4j-1.2.17-16.el7_4.noarch.rpm Bye Rainer On 15.12.2021 15:01, Zoltan Forray wrote: > It's a moving target. They just announced a second vulnerability and > have released 2.16. I would not be surprised they find more! > > https://www.zdnet.com/article/second-log4j-vulnerability-found-apache- > log4j-2-16-0-released/ > > On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < > alexander.hei...@generali.com> wrote: > >> that's correct. >> >> for me it's just a workaround until IBM provides a fix for it. >> >> 8.1.12 and 8.1.13: both use 2.13.3. >> >> Regards, >> Alex Heindl >> >> >> >> >> Von:"Rainer Tammer" >> An:ADSM-L@VM.MARIST.EDU >> Datum: 15.12.2021 11:20 >> Betreff:[EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact >> on SP client with security vulnerability: CVE-2021-44228 >> Gesendet von: "ADSM: Dist Stor Manager" >> >> >> >> >> >> >> >> >> Hello, >> You have to be careful with that. The switch does only work if Log4J >> is >> 2.10 or higher. >> >> Bye >> Rainer >> >> On 15.12.2021 10:29, Alexander Heindl wrote: >>> What I did on Windows with ISP Client 8.1.12, Webrestore installed >>> and >>> running: >>> >>> add the last line (-Dlog4j2.formatMsgNoLookups=true) in >>> C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, >>> so that it looks like this: >>> --8<-- >>> #Thu Oct 30 15:00:51 PDT 2014 >>> -Dcom.ibm.jsse2.sp800-131=transition >>> -Dlog4j2.formatMsgNoLookups=true >>> --8<-- >>> >>> then restart "IBMWebserver" >>> >>> Regards, >>> Alex Heindl >>> >>> >>> >>> >>> Von:"Rainer Tammer" >>> An:ADSM-L@VM.MARIST.EDU >>> Datum: 15.12.2021 08:31 >>> Betreff:[EXTERNAL] Re: [ADSM-L] Any impact on SP client with >>> security vulnerability: CVE-2021-44228 >>> Gesendet von: "ADSM: Dist Stor Manager" >>> >>> >>> >>> >>> >>> >>> >>> >>> Hello, >>> We are also waiting for the fixes. The problem is quite obvious. >>> The risk is high, and there are currently no official fixes/mitigations. >>> >>> Changing Java parameters/setting environment variables for log4j >= >>> 2.10 mig
Re: Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
Hello, Currently this is the safest way to fix that problem (in my opinion): zip -q -d log4j-core-2.nn.n.jar org/apache/logging/log4j/core/lookup/JndiLookup.class The Log4J v1.x does also have a problem: CVE-2019-17571 and CVE-2017-5645 The CVE-2019-17571 issue is also fixed by the fix for CVE-2017-5645. RHEL/CentOS has a fixed 1.2.17: log4j-1.2.17-16.el7_4.src.rpm log4j-1.2.17-16.el7_4.noarch.rpm Bye Rainer On 15.12.2021 15:01, Zoltan Forray wrote: It's a moving target. They just announced a second vulnerability and have released 2.16. I would not be surprised they find more! https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/ On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < alexander.hei...@generali.com> wrote: that's correct. for me it's just a workaround until IBM provides a fix for it. 8.1.12 and 8.1.13: both use 2.13.3. Regards, Alex Heindl Von:"Rainer Tammer" An:ADSM-L@VM.MARIST.EDU Datum: 15.12.2021 11:20 Betreff:[EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Gesendet von: "ADSM: Dist Stor Manager" Hello, You have to be careful with that. The switch does only work if Log4J is 2.10 or higher. Bye Rainer On 15.12.2021 10:29, Alexander Heindl wrote: What I did on Windows with ISP Client 8.1.12, Webrestore installed and running: add the last line (-Dlog4j2.formatMsgNoLookups=true) in C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so that it looks like this: --8<-- #Thu Oct 30 15:00:51 PDT 2014 -Dcom.ibm.jsse2.sp800-131=transition -Dlog4j2.formatMsgNoLookups=true --8<-- then restart "IBMWebserver" Regards, Alex Heindl Von:"Rainer Tammer" An:ADSM-L@VM.MARIST.EDU Datum: 15.12.2021 08:31 Betreff:[EXTERNAL] Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Gesendet von: "ADSM: Dist Stor Manager" Hello, We are also waiting for the fixes. The problem is quite obvious. The risk is high, and there are currently no official fixes/mitigations. Changing Java parameters/setting environment variables for log4j >= 2.10 might be tricky. It could be hard to find all necessary places We will try the following fix on OC and on the client. Sample "fix" for log4j-core-2.13.3.gar included in the client: zip -q -d log4j-core-2.13.3.jar org/apache/logging/log4j/core/lookup/JndiLookup.class NOTE: The application using this library must be restarted completely after the change. NOTE: This may pose problems in a FIPS environment. NOTE: The problematic Java archive may be inside buried in a .war file, in this case the .war must be refreshed with a changed log4j-core-nnn.jar. *Anny comments?* Bye Rainer On 13.12.2021 12:25, Del Hoobler wrote: Please watch this page: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ IBM is actively working on a this. Del "ADSM: Dist Stor Manager"wrote on 12/12/2021 01:31:46 AM: From: "Bommasani, Venu" To:ADSM-L@VM.MARIST.EDU Date: 12/12/2021 01:32 AM Subject: [EXTERNAL] Any impact on SP client with security vulnerability: CVE-2021-44228 Sent by: "ADSM: Dist Stor Manager" Hello All, Our security Team reported below file as vulnerability with reference of CVE-2021-44228 on Linux servers. /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar We haven't received any information from IBM yet under a Sev1 ticket, But as per Support Team this recent vulnerability CVE-2021-44228 is still being investigated. Does any one has any idea ? remediation ? Since vulnerability CVE-2021-44228 treated as Critical, We are proceeding with removing file directly from all Linux servers. Best Regards, _ Venu Bommasani Storage & Data Protection Mobile: +91 7795213309 /venu.bommas...@capgemini.com< mailto:venu.bommas...@capgemini.com> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. -- *Zoltan Forray* Backup Systems Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visithttp://phishing.vcu.edu/
Re: Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
It's a moving target. They just announced a second vulnerability and have released 2.16. I would not be surprised they find more! https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/ On Wed, Dec 15, 2021 at 5:28 AM Alexander Heindl < alexander.hei...@generali.com> wrote: > that's correct. > > for me it's just a workaround until IBM provides a fix for it. > > 8.1.12 and 8.1.13: both use 2.13.3. > > Regards, > Alex Heindl > > > > > Von:"Rainer Tammer" > An: ADSM-L@VM.MARIST.EDU > Datum: 15.12.2021 11:20 > Betreff:[EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact > on SP client with security vulnerability: CVE-2021-44228 > Gesendet von: "ADSM: Dist Stor Manager" > > > > > > > > > Hello, > You have to be careful with that. The switch does only work if Log4J is > 2.10 or higher. > > Bye >Rainer > > On 15.12.2021 10:29, Alexander Heindl wrote: > > What I did on Windows with ISP Client 8.1.12, Webrestore installed and > > running: > > > > add the last line (-Dlog4j2.formatMsgNoLookups=true) in > > C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so > > that it looks like this: > > --8<-- > > #Thu Oct 30 15:00:51 PDT 2014 > > -Dcom.ibm.jsse2.sp800-131=transition > > -Dlog4j2.formatMsgNoLookups=true > > --8<-- > > > > then restart "IBMWebserver" > > > > Regards, > > Alex Heindl > > > > > > > > > > Von:"Rainer Tammer" > > An:ADSM-L@VM.MARIST.EDU > > Datum: 15.12.2021 08:31 > > Betreff:[EXTERNAL] Re: [ADSM-L] Any impact on SP client with > > security vulnerability: CVE-2021-44228 > > Gesendet von: "ADSM: Dist Stor Manager" > > > > > > > > > > > > > > > > > > Hello, > > We are also waiting for the fixes. The problem is quite obvious. > > The risk is high, and there are currently no official fixes/mitigations. > > > > Changing Java parameters/setting environment variables for log4j >= 2.10 > > might be tricky. > > It could be hard to find all necessary places > > > > We will try the following fix on OC and on the client. > > > > Sample "fix" for log4j-core-2.13.3.gar included in the client: > > > > zip -q -d log4j-core-2.13.3.jar > > org/apache/logging/log4j/core/lookup/JndiLookup.class > > > > NOTE: The application using this library must be restarted completely > > after the change. > > NOTE: This may pose problems in a FIPS environment. > > NOTE: The problematic Java archive may be inside buried in a .war file, > > in this case the .war must be refreshed with a changed > log4j-core-nnn.jar. > > > > *Anny comments?* > > > > Bye > > Rainer > > > > On 13.12.2021 12:25, Del Hoobler wrote: > >> Please watch this page: > >> > >> > > > > https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ > > > > >> IBM is actively working on a this. > >> > >> Del > >> > >> > >> > >> > >> "ADSM: Dist Stor Manager" wrote on 12/12/2021 > >> 01:31:46 AM: > >> > >>> From: "Bommasani, Venu" > >>> To:ADSM-L@VM.MARIST.EDU > >>> Date: 12/12/2021 01:32 AM > >>> Subject: [EXTERNAL] Any impact on SP client with security > >>> vulnerability: CVE-2021-44228 > >>> Sent by: "ADSM: Dist Stor Manager" > >>> > >>> Hello All, > >>> > >>> Our security Team reported below file as vulnerability with > >>> reference of CVE-2021-44228 on Linux servers. > >>> > >>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar > >>> > >>> We haven't received any information from IBM yet under a Sev1 > >>> ticket, But as per Support Team this recent vulnerability > >>> CVE-2021-44228 is still being investigated. > >>> > >>> Does any one has any idea ? remediation ? > >>> > >>> Since vulnerability CVE-2021-44228 treated as Critical, We are > >>> proceeding with removing file directly from all Linux servers. > >>> > >>> Best Regards, > >>> _ > >>> Venu Bommasani > >>> Storage & Data Protection > >>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< > > mailto:venu.bommas...@capgemini.com> > >>> This message contains information that may be privileged or > >>> confidential and is the property of the Capgemini Group. It is > >>> intended only for the person to whom it is addressed. If you are not > >>> the intended recipient, you are not authorized to read, print, > >>> retain, copy, disseminate, distribute, or use this message or any > >>> part thereof. If you receive this message in error, please notify > >>> the sender immediately and delete all copies of this message. > -- *Zoltan Forray* Backup Systems Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confiden
Antwort: Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228
that's correct. for me it's just a workaround until IBM provides a fix for it. 8.1.12 and 8.1.13: both use 2.13.3. Regards, Alex Heindl Von:"Rainer Tammer" An: ADSM-L@VM.MARIST.EDU Datum: 15.12.2021 11:20 Betreff:[EXTERNAL] Re: [ADSM-L] Antwort: Re: [ADSM-L] Any impact on SP client with security vulnerability: CVE-2021-44228 Gesendet von: "ADSM: Dist Stor Manager" Hello, You have to be careful with that. The switch does only work if Log4J is 2.10 or higher. Bye Rainer On 15.12.2021 10:29, Alexander Heindl wrote: > What I did on Windows with ISP Client 8.1.12, Webrestore installed and > running: > > add the last line (-Dlog4j2.formatMsgNoLookups=true) in > C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\jvm.options, so > that it looks like this: > --8<-- > #Thu Oct 30 15:00:51 PDT 2014 > -Dcom.ibm.jsse2.sp800-131=transition > -Dlog4j2.formatMsgNoLookups=true > --8<-- > > then restart "IBMWebserver" > > Regards, > Alex Heindl > > > > > Von:"Rainer Tammer" > An:ADSM-L@VM.MARIST.EDU > Datum: 15.12.2021 08:31 > Betreff:[EXTERNAL] Re: [ADSM-L] Any impact on SP client with > security vulnerability: CVE-2021-44228 > Gesendet von: "ADSM: Dist Stor Manager" > > > > > > > > > Hello, > We are also waiting for the fixes. The problem is quite obvious. > The risk is high, and there are currently no official fixes/mitigations. > > Changing Java parameters/setting environment variables for log4j >= 2.10 > might be tricky. > It could be hard to find all necessary places > > We will try the following fix on OC and on the client. > > Sample "fix" for log4j-core-2.13.3.gar included in the client: > > zip -q -d log4j-core-2.13.3.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > NOTE: The application using this library must be restarted completely > after the change. > NOTE: This may pose problems in a FIPS environment. > NOTE: The problematic Java archive may be inside buried in a .war file, > in this case the .war must be refreshed with a changed log4j-core-nnn.jar. > > *Anny comments?* > > Bye > Rainer > > On 13.12.2021 12:25, Del Hoobler wrote: >> Please watch this page: >> >> > https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ > >> IBM is actively working on a this. >> >> Del >> >> >> >> >> "ADSM: Dist Stor Manager" wrote on 12/12/2021 >> 01:31:46 AM: >> >>> From: "Bommasani, Venu" >>> To:ADSM-L@VM.MARIST.EDU >>> Date: 12/12/2021 01:32 AM >>> Subject: [EXTERNAL] Any impact on SP client with security >>> vulnerability: CVE-2021-44228 >>> Sent by: "ADSM: Dist Stor Manager" >>> >>> Hello All, >>> >>> Our security Team reported below file as vulnerability with >>> reference of CVE-2021-44228 on Linux servers. >>> >>> /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar >>> >>> We haven't received any information from IBM yet under a Sev1 >>> ticket, But as per Support Team this recent vulnerability >>> CVE-2021-44228 is still being investigated. >>> >>> Does any one has any idea ? remediation ? >>> >>> Since vulnerability CVE-2021-44228 treated as Critical, We are >>> proceeding with removing file directly from all Linux servers. >>> >>> Best Regards, >>> _ >>> Venu Bommasani >>> Storage & Data Protection >>> Mobile: +91 7795213309 /venu.bommas...@capgemini.com< > mailto:venu.bommas...@capgemini.com> >>> This message contains information that may be privileged or >>> confidential and is the property of the Capgemini Group. It is >>> intended only for the person to whom it is addressed. If you are not >>> the intended recipient, you are not authorized to read, print, >>> retain, copy, disseminate, distribute, or use this message or any >>> part thereof. If you receive this message in error, please notify >>> the sender immediately and delete all copies of this message.
