NewsUpdate on security vulnerability in Log4j in combination with IBM Spectrum Protect and Spectrum Protect Plus

Markus Stumpf — 06. January 2022
Reading time: 02:03 minutes

Update zu Sicherheitslücke in Log4j in Verbindung mit IBM Spectrum Protect und Spectrum Protect Plus

As reported in several articles in December, Spectrum Protect and Spectrum Protect Plus are only affected by the security vulnerabilities related to Log4j 2.X in individual web components. This article describes the current workarounds and patches for the affected components.

Backup Archive Client

First of all, it should be clarified again that older versions of Spectrum Protect that distribute Log4j 1.X in the binaries are not affected by these vulnerabilities, because the attack in the context of CVE-2021-44228 is only possible with Log4j version 2.0 and higher.

Nevertheless, Log4j is included in every Backup/Archive client package as binaries, and we still receive many customer inquiries about how to handle these packages as a result.

The simplest fix is still to replace the Log4j files from the installation directories, with the latest version of Log4j 2.17.1.

Yesterday IBM released an update for the Backup/Archive clients to version 8.13.2. However, this update "only" includes Log4j 2.17.0, so this version is still vulnerable via CVE-2021-44832. However, this vulnerability requires local access to the Log4j config file. Thus, this vulnerability is not comparable to CVE 2021-44228.

The other relevant CVEs CVE-2021-45105, CVE-2021-45046 and CVE 2021-44228 have already been fixed with Backup/Archive Client 8.1.13.1.

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228):
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-client-web-user-interface-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-44228/
Security Bulletin: Vulnerabilities in Apache Log4j impacts IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2021-45105, CVE-2021-45046):
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-45105-cve-2021-45046/

Download Backup/Archive Client 8.1.13.2

Download Data Protection for Virtual Environments VMWare 8.1.13.2

Operations Center

The Operations Center uses Log4j and is therefore also affected by all CVEs. Here you can also replace the Log4j files with the latest version 2.17.1. How to replace the files is described in the following Security Bulletin under "Workarounds and Mitigations":

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Operations Center (CVE-2021-44228)
https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-ibm-spectrum-protect-operations-center-cve-2021-44228
Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-operations-center-cve-2021-45105-cve-2021-45046/

Download Operations Center 8.1.13.200:
http://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/8.1.13.200/

Spectrum Protect Plus

Security Bulletins have also been published for Spectrum Protect Plus. Here is the current latest fix version 10.1.9.2.

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6527828
Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impact-ibm-spectrum-protect-plus-cve-2021-45105-cve-2021-45046/

Download Spectrum Protect Plus 10.1.9.2
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Spectrum%20Protect%20family&product=ibm/StorageSoftware/IBM+Spectrum+Protect+Plus&release=All&platform=All&function=all

Further Links

Apache Log4j Homepage
https://logging.apache.org/log4j/2.x/
An update on the Apache Log4j 2.x vulnerabilities
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
CVE-2021-45056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Client Web User Interface and IBM Spectrum Protect for Virtual Environments (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-client-web-user-interface-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-44228/

We wish you continued safe times in the new year.

Your Empalis-Team

Markus Stumpf

Markus Stumpf is Head of Data Protection Services and Business Development Manager at Empalis Consulting GmbH.
As an expert in data protection solutions such as IBM Spectrum Protect, Veeam or Cohesity and with over 20 years of experience in implementation, operation and training (especially with IBM Spectrum Protect), he is happy to answer all your questions.

Do you need to implement NIS2? Cyber resilience is (not) a question of backup

Modern and innovative data protection for your company.

Managed service - backup tailored to your needs

Empalis supports you with your comprehensive security management.

Discover the Empalis Cloud: flexible, multifunctional, highly scalable.

IBM Tivoli System Automation for z/OS (SA for z/OS): Numerous system management functions with a single point of control

Get solutions to a wide range of NIS2-related issues in one go: with VIKING Backup Guardian - cyber-resilient all-in-one backup solution.

Harden your IT infrastructure against cyber attacks

Optimise your data backup environment and archiving

We manage your backup environment for you.

Easy and efficient administration of IBM System z/OS

Veeam offers you exciting opportunities to future-proof your IT and backup environment.

Since more than 30 years we provide consulting services for IBM products and manage IBM infrastructures in the enterprise environment.

Alert message: Error in Veeam Backup for Microsoft 365: First aid for admins when backing up Exchange mailboxes

Cohesity is our strong partner for cyber-resilient architectures with VIKING.

With Predatar, you have a clear advantage thanks to AI anomaly detection: Proactive Recovery Assurance

So why not wasabi?

The interface for easy use of IBM Storage Protect (ISP)

Because our customers love it: Get to know our partner technologies from General Storage

Automated monitoring & reporting - complete control of all backups and restores in your company

Managing Microsoft Sharepoint - sustainable, secure, productive with Docave

Get an overview of trainings & events

Easter bundle until 30.04.2024: Book now and save 20%-30% by quoting the promo code!

Am 18.06.2024 diskutieren wir mit unseren Partnern Veeam und Wasabi, wie Sie Risiken effizienter minimieren.

Proxmox with Veeam - an alternative to VMware?

Empalis technical article in IT Security Online: Cyber Resilience: Which backup solution for Microsoft 365?

Empalis ist again awarded as top company in 2024 - thank you!

The formula for our success: Be there, keep listening, implement.

Empalis ist pioneer partner of Apex by Predatar

Empalis is welcoming new employees - just send us your unsolicited application.

We look forward to hearing from you!

NewsUpdate on security vulnerability in Log4j in combination with IBM Spectrum Protect and Spectrum Protect Plus

Backup Archive Client

The other relevant CVEs CVE-2021-45105, CVE-2021-45046 and CVE 2021-44228 have already been fixed with Backup/Archive Client 8.1.13.1.

Download Backup/Archive Client 8.1.13.2

Download Data Protection for Virtual Environments VMWare 8.1.13.2

Operations Center

Spectrum Protect Plus

Further Links

Markus Stumpf

Do you need to implement NIS2? Cyber resilience is (not) a question of backup

Modern and innovative data protection for your company.

Managed service - backup tailored to your needs

Empalis supports you with your comprehensive security management.

Discover the Empalis Cloud: flexible, multifunctional, highly scalable.

IBM Tivoli System Automation for z/OS (SA for z/OS): Numerous system management functions with a single point of control

Get solutions to a wide range of NIS2-related issues in one go: with VIKING Backup Guardian - cyber-resilient all-in-one backup solution.

Harden your IT infrastructure against cyber attacks

Optimise your data backup environment and archiving

We manage your backup environment for you.

Easy and efficient administration of IBM System z/OS

Veeam offers you exciting opportunities to future-proof your IT and backup environment.

Since more than 30 years we provide consulting services for IBM products and manage IBM infrastructures in the enterprise environment.

Alert message: Error in Veeam Backup for Microsoft 365: First aid for admins when backing up Exchange mailboxes

Cohesity is our strong partner for cyber-resilient architectures with VIKING.

With Predatar, you have a clear advantage thanks to AI anomaly detection: Proactive Recovery Assurance

So why not wasabi?

The interface for easy use of IBM Storage Protect (ISP)

Because our customers love it: Get to know our partner technologies from General Storage

Automated monitoring & reporting - complete control of all backups and restores in your company

Managing Microsoft Sharepoint - sustainable, secure, productive with Docave

Get an overview of trainings & events

Easter bundle until 30.04.2024: Book now and save 20%-30% by quoting the promo code!

Am 18.06.2024 diskutieren wir mit unseren Partnern Veeam und Wasabi, wie Sie Risiken effizienter minimieren.

Proxmox with Veeam - an alternative to VMware?

Empalis technical article in IT Security Online: Cyber Resilience: Which backup solution for Microsoft 365?

Empalis ist again awarded as top company in 2024 - thank you!

The formula for our success: Be there, keep listening, implement.

Empalis ist pioneer partner of Apex by Predatar

Empalis is welcoming new employees - just send us your unsolicited application.

We look forward to hearing from you!

NewsUpdate on security vulnerability in Log4j in combination with IBM Spectrum Protect and Spectrum Protect Plus

Backup Archive Client

The other relevant CVEs CVE-2021-45105, CVE-2021-45046 and CVE 2021-44228 have already been fixed with Backup/Archive Client 8.1.13.1.

Download Backup/Archive Client 8.1.13.2

Download Data Protection for Virtual Environments VMWare 8.1.13.2

Operations Center

Spectrum Protect Plus

Further Links

Markus Stumpf

You were interested in this, then you may also be interested in...

NewsLog4j vulnerability - bugfixed version 2.17 now available

News1st update and possible emergency action on Apache Log4j CVE-2021-44228 vulnerability related to Spectrum Protect. - Update 12/14/2021, 5:00 PM -

News4th Update - Security Bulletins and Fixes Available for Log4j Vulnerability CVE 2021-44228 - Dec 16, 2021 10:00 AM -

News2nd update: Second vulnerability to Log4j - extended help and emergency response Apache Log4j CVE-2021-44228 and CVE 2021-45046

NewsIBM update on the Apache Log4j CVE-2021-44228 vulnerability - 3rd update Dec. 15, 2021, 5 p.m. -

NewsWhat we can say so far about Apache Log4j CVE-2021-44228 vulnerability in relation to Spectrum Protect

NewsLog4j can be fixed now - 5th update

News1st update and possible emergency action on Apache Log4j CVE-2021-44228 vulnerability related to Spectrum Protect.

- Update 12/14/2021, 5:00 PM -

News4th Update - Security Bulletins and Fixes Available for Log4j Vulnerability CVE 2021-44228
- Dec 16, 2021 10:00 AM -

NewsIBM update on the Apache Log4j CVE-2021-44228 vulnerability
- 3rd update Dec. 15, 2021, 5 p.m. -