• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Log4j security issue - is SP also affected?

Sunhillow

ADSM.ORG Senior Member
Joined
Oct 27, 2003
Messages
402
Reaction score
16
Points
0
Location
Stuttgart, Germany

Stephan

ADSM.ORG Senior Member
Joined
Jun 7, 2004
Messages
649
Reaction score
2
Points
0
Location
Great White North
Website
www.twosix.ca
I have a few cases opened at IBM. Here is what i was told about SP

Preliminary investigations have determined the IBM Spectrum Protect Server, Storage Agent, Operations Center and CMS is not impacted by the CVE. We are still investigation the IBM Spectrum Protect Client(s).

So, we are actively still keeping an eye on it. Doing our own research as well. Seems to me that the log4j involved in SP clients relates to a plugin for Vmware vCloud Suite...
 

mroussel

ADSM.ORG Member
Joined
Apr 18, 2007
Messages
13
Reaction score
1
Points
0
Location
Lyon - France
Seems to me that the log4j involved in SP clients relates to a plugin for Vmware vCloud Suite...
I confirm : on each Linux machine, with a BA client installed, there is an impacted version of log4j in "/opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk"
I hope IBM will quickly release a patch, although in this case, the risk seems low to me if we do not use this plugin.
 

Jello

Newcomer
Joined
Jul 18, 2011
Messages
1
Reaction score
0
Points
0
Have they said anything about Operations Center? Scanning ours turned up multiple instances of
log4j-core-***.jar
 

mroussel

ADSM.ORG Member
Joined
Apr 18, 2007
Messages
13
Reaction score
1
Points
0
Location
Lyon - France
IBM has published 2 security bulletins:
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
and
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Operations Center (CVE-2021-44228)
 

marclant

ADSM.ORG Moderator
Joined
Jun 16, 2006
Messages
3,788
Reaction score
625
Points
0
Location
Canada
Website
www.ibm.com
There's one general update on Log4j and 3 security bulletins

An update on the Apache Log4j CVE-2021-44228 vulnerability
Dec 15, 2021 8:35 pm EST | Critical Severity

Updated December 15, 8:35 PM: IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). ...read more

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44228)
Dec 15, 2021 11:15 pm EST | Critical Severity

A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift due to its use of the Strimzi operator. ...read more

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
Dec 15, 2021 9:10 pm EST | Critical Severity

A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect the IBM Spectrum Protect Client web user interface and IBM Spectrum Protect for Virtual Environments due to their uses of Log4j for logging of messages and traces. ...read more

Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center (CVE-2021-38901)
Dec 15, 2021 7:01 pm EST | Medium Severity

If tracing is enabled in Operations Center, user credentials may be displayed in the trace file in plain text. ...read more


To view all Spectrum Protect Security Bulletins, look here:
 

LED888

ADSM.ORG Moderator
Joined
Oct 15, 2002
Messages
882
Reaction score
82
Points
0
Website
http
Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot on Windows (CVE-2021-44228)

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228)
 

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 22 19.8%
  • Keep using TSM for Spectrum Protect.

    Votes: 65 58.6%
  • Let's be formal and just say Spectrum Protect

    Votes: 15 13.5%
  • Other (please comement)

    Votes: 9 8.1%

Forum statistics

Threads
31,831
Messages
134,884
Members
21,793
Latest member
jonDoe2
Top