NewsWhat we can say so far about Apache Log4j CVE-2021-44228 vulnerability in relation to Spectrum Protect

Markus Stumpf — 13. December 2021
reading time: 1:00 minute

Over the last weekend, we received the first reports and inquiries about how Spectrum Protect and Spectrum Protect Plus are affected by CVE-2021-44228.

Currently the full extent is not yet clear, there is also no information about exact product releases and possible fixes.

IBM has set up an extra page that provides general information about the assessment and further measures and is continuously updated: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

From older security bulletins we strongly assume that at least the Spectrum Protect Backup/Archive Client and Spectrum Protect for Virtual Environments are affected, as these two components were already affected by another vulnerability in Log4J in May:

https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-commons-and-log4j-affect-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-virtual-environments

Currently there are a number of other vulnerabilities that have been fixed with the just released 8.1.13 versions. The overall solution should be coordinated with the current CVE and its solution.

Further information on the situation on the part of the BSI Bund

Please feel free to contact us directly if you have any questions.
We will continue to keep you updated via this channel as well.

Click here for the follow-up article on Log4j:

You were interested in this, then you may also be interested in...