Backup Archive Client
First of all, it should be clarified again that older versions of Spectrum Protect that distribute Log4j 1.X in the binaries are not affected by these vulnerabilities, because the attack in the context of CVE-2021-44228 is only possible with Log4j version 2.0 and higher.
Nevertheless, Log4j is included in every Backup/Archive client package as binaries, and we still receive many customer inquiries about how to handle these packages as a result.
The simplest fix is still to replace the Log4j files from the installation directories, with the latest version of Log4j 2.17.1.
Yesterday IBM released an update for the Backup/Archive clients to version 8.13.2. However, this update "only" includes Log4j 2.17.0, so this version is still vulnerable via CVE-2021-44832. However, this vulnerability requires local access to the Log4j config file. Thus, this vulnerability is not comparable to CVE 2021-44228.
The other relevant CVEs CVE-2021-45105, CVE-2021-45046 and CVE 2021-44228 have already been fixed with Backup/Archive Client 8.1.13.1.
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228):
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-client-web-user-interface-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-44228/ - Security Bulletin: Vulnerabilities in Apache Log4j impacts IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2021-45105, CVE-2021-45046):
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-45105-cve-2021-45046/
Download Backup/Archive Client 8.1.13.2
- http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v8r1/Windows/x64/v8113/
- http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v8r1/Linux/LinuxX86/BA/v8113/
- http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v8r1/AIX/BA/v8113/
Download Data Protection for Virtual Environments VMWare 8.1.13.2
- http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/vmware/linux/linux86/v8113/
- http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/vmware/windows/v8113/
Operations Center
The Operations Center uses Log4j and is therefore also affected by all CVEs. Here you can also replace the Log4j files with the latest version 2.17.1. How to replace the files is described in the following Security Bulletin under "Workarounds and Mitigations":
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Operations Center (CVE-2021-44228)
https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-ibm-spectrum-protect-operations-center-cve-2021-44228 - Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-operations-center-cve-2021-45105-cve-2021-45046/
Download Operations Center 8.1.13.200:
http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/8.1.13.200/
Spectrum Protect Plus
Security Bulletins have also been published for Spectrum Protect Plus. Here is the current latest fix version 10.1.9.2.
- Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6527828 - Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impact-ibm-spectrum-protect-plus-cve-2021-45105-cve-2021-45046/
Download Spectrum Protect Plus 10.1.9.2
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Spectrum%20Protect%20family&product=ibm/StorageSoftware/IBM+Spectrum+Protect+Plus&release=All&platform=All&function=all
Further Links
- Apache Log4j Homepage
https://logging.apache.org/log4j/2.x/ - An update on the Apache Log4j 2.x vulnerabilities
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/ - CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 - CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 - CVE-2021-45056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 - Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-client-web-user-interface-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-44228/
We wish you continued safe times in the new year.
Your Empalis-Team