A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. IBM Spectrum Protect Snapshot on Windows includes the IBM Spectrum Protect Backup-Archive Cliient which installs the vulnerable Log4j files. Based on current information and analysis, Log4j is not used by IBM Spectrum Protect Snapshot on Wiindows.
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum Protect Snapshot for Windows (formerly IBM Tivoli Storage FlashCopy Manager for Windows) | 8.1.11.0-8.1.13.0 |
IBM Tivoli Storage FlashCopy Manager for Windows |
4.1.6.10-4.1.6.x
Note: IBM Spectrum Protect Snapshot for Windows packages the IBM Spectrum Protect Backup-Archive client which installs the affected Log4j files but these files are not used.
IBM strongly recommends addressing this vulnerability now by upgrading.
Note: The below fix packages included Log4j 2.15.
IBM Spectrum Protect Snapshot for Windows Affected Versions|Fixing Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
8.1.11.0-8.1.13.0| 8.1.13.1| Windows| <https://www.ibm.com/support/pages/node/6527298>
4.1.6.10-4.1.6.x| | Windows|
Apply the IBM Spectrum Protect Client 7.1.8.13 fix using this link
<https://www.ibm.com/support/pages/node/316619>
None.