10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Vulnerabilities in Apache Log4j could result in a denial of service or remote code execution. These vulnerabilities may affect the Help system in IBM Spectrum Protect Operations Center. The below fix packages include Apache Log4j 2.17
CVEID:CVE-2021-45105
**DESCRIPTION:**Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Note: The vulnerability is also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-45046
**DESCRIPTION:**Apache Log4j could result in remote code execution, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup, an attacker with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern to leak sensitive information and remote code execution in some environments and local code execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum Protect Operations Center | 8.1.0.000-8.1.13.100 |
7.1.0.000-7.1.14.100 |
IBM strongly recommends addressing this vulnerability now by upgrading to the fixed level instead of using the manual process described under Workarounds and Mitigations section.
Note: The below fix packages include Log4j 2.17.
_IBM Spectrum Protect Operations Center Affected Versions
_|Fixing
Level|Platform|_Link to Fix and Instructions
_
—|—|—|—
8.1.0.000-8.1.13.100|
8.1.13.200| AIX
Linux
Windows|
<https://www.ibm.com/support/pages/node/6527288>
7.1.0.000-7.1.14.100
| 7.1.14.200| AIX
Linux
Windows| <https://www.ibm.com/support/pages/node/6527284>
Manual Procedure to Update the Help system
The Help system shipped along with the Operations Center includes the affected log4j versions. To manually update the Help system:
1. Download the following from Apache:
Apache Log4j 2 binary(zip) apache-log4j-2.17.0-bin.zip
<https://logging.apache.org/log4j/2.0/download.html>
2. Stop the Operations Center service (which also stops the Help system)
AIX - /opt/tivoli/tsm/ui/utils/stopserver.sh
Linux -
8.1.9 and Lower (including v7) - service opscenter.rc stop
8.1.10 and higher - systemctl stop opscenter.service
Windows - From the Services window, stop the IBM Spectrum® Protect Operations Center service.
3. Unzip the apache-log4j-2.17.0-bin.zip
4. From the unzipped directory apache-log4j-2.17.0-bin copy the log4j2.17 jars and remove the earlier ones
5. From
AIX and Linux - /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer/apps/TSM_HELP.war/WEB-INF/lib/
Windows - c:\Program Files\Tivoli\TSM\\ui\Liberty\usr\servers\guiServer\apps/TSM_HELP.war/WEB-INF/lib\
Replace:
log4j-api-2.8.2.jar
log4j-1.2-api-2.8.2.jar
log4j-core-2.8.2.jar
log4j-slf4j-impl-2.8.2.jar
with
log4j-api-2.17.0.jar
log4j-1.2-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-slf4j-impl-2.17.0.jar
6. Restart OC service
AIX - /opt/tivoli/tsm/ui/utils/startserver.sh
Linux -
8.1.9 and Lower (including v7) - service opscenter.rc start
8.1.10 and higher - systemctl start opscenter.service
Windows - From the Services window, start the IBM Spectrum® Protect Operations Center service.
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum protect extended edition | eq | 8.1 | |
ibm spectrum protect extended edition | eq | 7.1 |
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%