News1st update and possible emergency action on Apache Log4j CVE-2021-44228 vulnerability related to Spectrum Protect

Markus Stumpf — 14. December 2021
Reading time: 1:11 minutes

Apache Log4j CVE-2021-44228 vulnerability in Bezug auf Spectrum Protect

- Status: 14.12.2021, 17:00 -

Unfortunately, we do not have a final answer from IBM yet. During internal tests with the tool: https://github.com/hillu/local-log4j-vuln-scanner we noticed that in the Windows Backup/Archive Client version 8.1.12.0 the version 2.13.3 of Log4j is used:

Windows Backup/Archive Client Version 8.1.12.0 mit genutzter Version 2.13.3 von Log4j

Since this library is only included in the installer in the path for veProfile, we currently assume that the normal Backup/Archive Client is not affected if Spectrum Protect for Virtual Environment is not configured. This is a personal assumption and not confirmed by IBM!

Unfortunately there is no final statement about this at https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/  yet.

Since the installed Log4J version is 2.13.3, the following environment variable can be set as a workaround:

LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

The following versions of Log4J are included in the Backup/Archive Client:

  • 8.1.6-8.1.10: 1.2.17
  • 8.1.11.-8.1.13:2.13.3

Version 1.2.17 was not reported by Apache because this version is already end of service:

"Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed".

https://logging.apache.org/log4j/2.x/security.html

Conclusion

You can be safe by updating the client version to 8.1.12 and implementing the workaround mentioned above. For Linux a mitigation is available:

https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Good news for our service customers: The Predatar agent is not affected.

We will continue to inform you about this issue here in this blog.

Your Empalis Team

You were interested in this, then you may also be interested in...