Tonight IBM released the security bulletins for all affected Spectrum Protect components. As suspected, the Spectrum Protect Web Client and the Web GUI of Spectrum Protect for VE are affected:
Security Bulletin
Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6527080?myns=swgtiv&mynp=OCSSEQVQ&mync=E&cm_sp=swgtiv-_-OCSSEQVQ-_-E
The above security bulletin also includes the local fix, it consists of replacing the Log4j binaries.
The following products from the Spectrum Protect family are also affected
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Operations Center (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6527084?myns=s033&mynp=OCSSER5J&mync=E&cm_sp=s033-_-OCSSER5J-_-E - Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6527090?myns=s033&mynp=OCSSNQFQ&mync=E&cm_sp=s033-_-OCSSNQFQ-_-E
We recommend to go directly to version 2.16.0, contrary to the IBM documentation, because CVE 2021-45046 is also fixed there.
The download for Log4j can be found here:
https://logging.apache.org/log4j/2.x/download.html
Empalis will be happy to support you with the implementation of the local fixes or if you have further questions.