Unfortunately, we do not have a final answer from IBM yet. During internal tests with the tool: https://github.com/hillu/local-log4j-vuln-scanner we noticed that in the Windows Backup/Archive Client version 8.1.12.0 the version 2.13.3 of Log4j is used:
Since this library is only included in the installer in the path for veProfile, we currently assume that the normal Backup/Archive Client is not affected if Spectrum Protect for Virtual Environment is not configured. This is a personal assumption and not confirmed by IBM!
Unfortunately there is no final statement about this at https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ yet.
Since the installed Log4J version is 2.13.3, the following environment variable can be set as a workaround:
LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
The following versions of Log4J are included in the Backup/Archive Client:
- 8.1.6-8.1.10: 1.2.17
- 8.1.11.-8.1.13:2.13.3
Version 1.2.17 was not reported by Apache because this version is already end of service:
"Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed".
https://logging.apache.org/log4j/2.x/security.html
Conclusion
You can be safe by updating the client version to 8.1.12 and implementing the workaround mentioned above. For Linux a mitigation is available:
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Good news for our service customers: The Predatar agent is not affected.
We will continue to inform you about this issue here in this blog.
Your Empalis Team