Data Protection Software

 View Only
Expand all | Collapse all

Is Spectrum protect BA client compromised with reference CVE-2021-44228

  • 1.  Is Spectrum protect BA client compromised with reference CVE-2021-44228

    Posted Sun December 12, 2021 05:08 AM

    Hello Team,

    Our security Team reported below file as vulnerability with reference of CVE-2021-44228 on Linux servers.

    /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-1.2.17.jar

    We haven't received any information from IBM yet under a Sev1 ticket.

    Does any one has any idea ?

    Thanks in Advance,

    Best Regards,

    _____________________________________________

    Venu Bommasani

    Mobile: +91 7795213309 / venu.bommasani


    #Support
    #SpectrumProtect
    #SupportMigration


  • 2.  RE: Is Spectrum protect BA client compromised with reference CVE-2021-44228

    Posted Mon December 13, 2021 11:31 AM

    Found the same file in an 8.1.9.1 linux ba-client. I'm also concerned about it, but "Only versions of Log4J 2.x (from 2.0-beta9 to 2.14.1) are vulnerable to CVE-2021-44228." So this one seems to be an older version and not affected.

    Randomly looked on another system with 8.1.12.1 and found this file:

    /opt/tivoli/tsm/client/ba/bin/plugins/vcloudsuite/sdk/log4j-core-2.13.3.jar

    THIS LOOK BAD!

    Any official information from IBM about which products/versions are affected by the CVE?

    Regards, Uli


    #Support
    #SpectrumProtect
    #SupportMigration