On 11/01/2022 two critical vulnerabilities in OpenSSL were published (see also Heise). These vulnerabilities were initially rated as "Critical", but have since been downgraded to "High".
IBM Spectrum Protect
IBM Spectrum Protect implements the verification of TLS certificates with IBM's own Global Security Kit (GSKit). Thus, IBM client communications, password storage are not directly affected by these two vulnerabilities.
Our tip
Nevertheless, you should keep an eye on the IBM PSIRT blog, as IBM has announced to publish statements about the individual IBM products here.
IBM Spectrum Protect Plus
IBM Spectrum Protect Plus includes Open SSL in the appliance OVAs. Here you can check the installed versions:
Check if OpenSSL is present
[serveradmin@esplus20 ~]$ which openssl /usr/bin/openssl
Check which OpenSSL version is present
[serveradmin@esplus20 ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
The sample output has been run on a Spectrum Protect Plus version 10.1.10, thus you can see that this appliance version is not affected as the CVEs only affect OpenSSL 3.0.0-3.0.6.
Attention
OpenSSL can still be part of the underlying operating systems regardless of the backup application. This can also be checked with the above commands.
Redhat partially affected
Redhat has already published that only RHEL 9 is affected, which is currently not yet released as an operating system for the IBM Spectrum Protect server:
https://access.redhat.com/security/cve/cve-2022-3786
https://access.redhat.com/security/cve/cve-2022-3602
Conclusion
Spectrum Protect and Spectrum Protect Plus are not affected by this vulnerability according to our current knowledge. We will continue to monitor the situation and update our website if there are any changes.