Log4j security issue - is SP also affected?

Sunhillow

ADSM.ORG Senior Member
Joined
Oct 27, 2003
Messages
408
Reaction score
16
Points
0
Location
Stuttgart, Germany
PREDATAR Control23

I have a few cases opened at IBM. Here is what i was told about SP

Preliminary investigations have determined the IBM Spectrum Protect Server, Storage Agent, Operations Center and CMS is not impacted by the CVE. We are still investigation the IBM Spectrum Protect Client(s).

So, we are actively still keeping an eye on it. Doing our own research as well. Seems to me that the log4j involved in SP clients relates to a plugin for Vmware vCloud Suite...
 
PREDATAR Control23

Seems to me that the log4j involved in SP clients relates to a plugin for Vmware vCloud Suite...

I confirm : on each Linux machine, with a BA client installed, there is an impacted version of log4j in "/opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk"
I hope IBM will quickly release a patch, although in this case, the risk seems low to me if we do not use this plugin.
 
PREDATAR Control23

Have they said anything about Operations Center? Scanning ours turned up multiple instances of
log4j-core-***.jar
 
PREDATAR Control23

IBM has published 2 security bulletins:
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
and
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Operations Center (CVE-2021-44228)
 
PREDATAR Control23

There's one general update on Log4j and 3 security bulletins

An update on the Apache Log4j CVE-2021-44228 vulnerability
Dec 15, 2021 8:35 pm EST | Critical Severity

Updated December 15, 8:35 PM: IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). ...read more

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44228)
Dec 15, 2021 11:15 pm EST | Critical Severity

A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift due to its use of the Strimzi operator. ...read more

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
Dec 15, 2021 9:10 pm EST | Critical Severity

A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect the IBM Spectrum Protect Client web user interface and IBM Spectrum Protect for Virtual Environments due to their uses of Log4j for logging of messages and traces. ...read more

Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center (CVE-2021-38901)
Dec 15, 2021 7:01 pm EST | Medium Severity

If tracing is enabled in Operations Center, user credentials may be displayed in the trace file in plain text. ...read more


To view all Spectrum Protect Security Bulletins, look here:
 
PREDATAR Control23

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot on Windows (CVE-2021-44228)

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228)
 
Top