Impact of CVE-2021-44228 and CVE-2021-45046 Apache Log4j Vulnerability on NetBackup

Impact of CVE-2021-44228 and CVE-2021-45046 Apache Log4j Vulnerability on NetBackup

Article: 100052058
Last Published: 2022-09-23
Ratings: 71 28
Product(s): NetBackup, Resiliency Platform & CloudMobility, CloudPoint, Appliances

 

 

About Apache Log4j Vulnerabilities

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

Veritas is tracking the recently announced vulnerabilities in Apache’s Log4j. All Veritas Product Security and Development teams are actively reviewing our software to determine if these vulnerabilities exist in any of our product families.

If we determine a particular product is impacted by these issues, Veritas will provide temporary mitigation guidance and work to quickly provide a patch to permanently remediate the problem.  This is an urgent issue, and we are working aggressively to help keep our customers secure.

 

CVE-2021-44228 & CVE-2021-45046 - Apply Remediation fixes or Mitigation steps

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) and a denial of service vulnerability (CVE-2021-45046) affecting Log4j versions 2.0-beta9 to 2.15. A remote attacker could exploit these vulnerabilities to take control of an affected system.   

More information is available from the Apache Announcement and recommends upgrading to the latest Log4j 2.16.0 + or applying recommended mitigations immediately. 

 

Recommended steps: Follow the appropriate steps for your system from the links below, which will apply the recommended mitigations and/or remediation steps that upgrade the Log4j component to version 2.16.0 + where both CVEs are addressed.

 

 

CVE-2021-45105 & CVE-2021-44832 - Log4j 2.x - NetBackup NOT Impacted

In addition to the above vulnerabilities, Veritas NetBackup software customers have also inquired about CVE-2021-45105 (fixed in log4j 2.17) and CVE-2021-44832 (fixed in log4j 2.17.1).

CVE-2021-45105  
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
NetBackup does NOT use Context Lookups in the log4j logging configuration.

 

CVE-2021-44832  
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
NetBackup doesn’t use JDBC Appender,
 

The NetBackup engineering team has assessed CVE-2021-45105 and CVE-2021-44832, and have determined that these vulnerabilities are NOT exploitable in NetBackup software. This includes NetBackup CloudPoint, NetBackup Resiliency (aka Resiliency Platform), OpsCenter and Self-Service.

NetBackup also secures the log4j configuration file with file system permissions so only root or the NetBackup Web Service account can modify this configuration

Recommended steps: None required, as NetBackup/components are not impacted by these two Log4j 2.x vulnerabilities.


 


CVE Detail

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. 

Severity: Critical 
Base CVSS Score: 10.0 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 

 

CVE-2021-45046: Apache Log4j2 JNDI features do not protect against malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.  

Severity: Critical 
Base CVSS Score: 9.0 
Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 


 

If NetBackup is on an Appliance?

This article covers remediation or mitigation steps for NetBackup software. In addition to the steps mentioned below, if NetBackup is running on Veritas Appliances, review the main Veritas landing page for log4j at https://vrt.as/log4j-vrts-2021, and apply the fixes for the specific Appliance family.
 

Affected Product/Component Versions

Please see the table below for links to specific Veritas product components; customers can apply Mitigation or Remediation fixes to eliminate threats from CVE-2021-44228 & CVE-2021-45046.

.

About Mitigation steps

Mitigation steps focus on neutralizing the vulnerability in current versions of Apache Log4j being already shipped with the product. These steps are available for all NetBackup product versions.

 

About Remediation fixes

Remediation steps focus on upgrading the Apache Log4j component to Log4j version 2.17.1 in the latest update for each product version. For example, customers running...

NB 8.3 --> Upgrade to NB 8.3.0.2 and then apply Remediation fixes for version 8.3.0.2

NB 9.0 --> Upgrade to NB 9.0.0.1 and then apply Remediation fixes for version 9.0.0.1

NB 9.1 --> Upgrade to NB 9.1.0.1 and then apply Remediation fixes for version 9.1.0.1

OpsCenter Final Fixes are available for versions 8.2, 8.3.0.2, 9.0.0.1 and 9.1.0.1

 


 

Mitigation Steps - When performing manual steps, see notes below

If there are service startup issues after making the changes,
share a copy of the following files when engaging Technical Support.

/usr/openv/wmc/webserver/logs/catalina.out
/usr/openv/wmc/webserver/logs/catalina.out.bak 
nbsu output

 

NOTE-1: 
For clustered NetBackup Master/Primary servers,
ensure nbwmc changes are completed on both active and inactive nodes of the cluster. 

 

NOTE-2: 
When using copy/paste from this article, regarding the dash/hyphen symbol
(“-” 0x2d)  in “-Dlog4j2.formatMsgNoLookups=true” .
The character in some cases results in a 0x90 which visually looks similar to dash/hyphen.
This causes startup problems. It's best to manually type in the "-" after copying it from this article.

 


NetBackup Primary Server was also commonly referred to as Master Server.


Frequently Asked Questions

NetBackup Product /Component

Product Version

Log4j version in the product

Remediation

Binary Fix viaVeritas Support (Refer ET = ETrack - Incident ID#)

or

Download HotFix from KB url

  

Mitigation

KB Article with steps to mitigate vulnerability in existing log4j version

Impact & Mitigation Details

 
NetBackup Primary Server

7.7

log4j ver. 1.2.16

No action needed  

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046;

NetBackup Primary Server

7.7.1 - 8.0

log4j ver. 1.2.16 &1.2.17

No action needed

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046;

NetBackup Primary Server

8.1 - 8.1.1

log4j ver. 1.2.17

No action needed

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046;

NetBackup Primary Server 8.1.2 - 8.2

log4j ver. 2.11.0

8.2 - Hotfix KB UPD621711


8.1.2 - Hotfix KB UPD432977

KB article
UPD464986

For Log4j 2.x Download and replace vulnerable Log4j jars  (Removed JndiLookup.class from classpath)

NetBackup Primary Server 8.3 - 8.3.0.1

log4j ver. 2.11.0

8.3.0.1 - Hotfix KB UPD736306

KB article
UPD464986

Download and replace vulnerable Log4j jars  (Removed JndiLookup.class from classpath)
NetBackup Primary Server 8.3.0.2 - 9.1.0.1 log4j ver. 2.13.3

8.3.0.2 - Hotfix KB UPD790636

9.0.0.1 - Hotfix KB UPD178003

9.1.0.1 - Hotfix KB UPD142248

KB articleUPD548210 Download and replace vulnerable Log4j jars  (Removed JndiLookup.class from classpath)

NetBackup Appliance Primary Server -

(same steps as BYO Linux)

3.1.2 - 4.1.0.1 MR1  

Appliance KB 100052082

3.1.2 - 3.3.0.1:
KB article
UPD464986

3.3.0.2 - 4.1:
KB article
UPD548210
Download and replace vulnerable Log4j jars  (Removed JndiLookup.class from classpath)

NetBackup Primary Server container on Flex Appliance

8.1.2 – 9.1.0.1

 

Flex KB #100052106

KB #100052106  
 

NetBackup Product /Component

Product Version

Log4j version in the product

Remediation

Binary Fix from Veritas Support (Refer ET = ETrack - Incident ID#)

or

Download HotFix from KB url

  

Mitigation

KB Article with steps to mitigate vulnerability in existing log4j version

Impact & Mitigation Details

NetBackup Media Server

8.0 – 9.1.0.1

log4j ver. 2.x

Not remotely exploitable - no action needed - log4j 2.x files are NOT used - see FAQ #10

See table rows below for MSDP/ CloudCatalyst and FAQ #3 - #4

 

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046

MSDP on NetBackup Appliance

(Media Server Deduplication Pool)

3.1.2, 3.2 log4j ver. 2.11.0

MSDP stopped shipping log4j components in all versions after 3.2

Other versions before 3.1.2 and after 3.2 are NOT affected.

KB #100052062 Remove JndiLookup.class from the classpath

NetBackup Media Server container on Flex Appliance

8.1.2 – 9.1.0.1

 

No action needed

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046

NetBackup Flex Scale Appliance

2.1

 

9.0.0.1 - ET 4058561 Version1

9.1.0.1 - ET 4058560 Version2

  KB #100052101  
 

MSDP on NetBackup BYO

(Media Server Deduplication Pool)

8.1.2, 8.2

log4j ver. 2.11.0

MSDP stopped shipping log4j components in all versions after 8.2

Other versions before 8.1.2 and after 8.2 are NOT affected

 

For versions 8.1.2 and 8.2, Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and does not execute

  KB #100052062 Remove JndiLookup.class from the classpath
NetBackup Appliance
CloudCatalyst Media Server

3.1.2, 3.2 

log4j ver. 2.11.0

MSDP stopped shipping log4j components in all NB Appliance versions after 3.2

Other versions before 3.1.2 and after 3.2 are NOT affected

For versions 3.1.2 and 3.2, Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and does not execute

KB #100052062

Remove JndiLookup.class from the classpath

Not impacted by CVE-2021-44228 and CVE-2021-45046

NetBackup BYO
CloudCatalyst Media Server

8.1.2, 8.2

log4j ver. 2.11.0

MSDP stopped shipping log4j components in all versions after 8.2

Other versions before 8.1.2 and after 8.2 are NOT affected

For versions 8.1.2 and 8.2, Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and does not execute

KB #100052062

Remove JndiLookup.class from the classpath

 

Not impacted by CVE-2021-44228 and CVE-2021-45046

 

 

NetBackup Product /Component

Product Version

Log4j version in the product

Remediation

Binary Fix from Veritas Support (Refer ET = ETrack - Incident ID#)

or

Download HotFix from KB url

  

Mitigation

KB Article with steps to mitigate vulnerability in existing log4j version

Impact & Mitigation Details

NetBackup Client

7.7.3 – 8.2

log4j ver. 1.x

No action needed

See FAQ #4 below

 

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046

NetBackup Client

8.3 – 9.1.0.1

 

No action needed

 

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046

 
NetBackup OpsCenter 8.1 - 8.1.1 log4j ver. 1.2.17

No action needed

  N/A Not impacted by CVE-2021-44228 and CVE-2021-45046
NetBackup OpsCenter 8.1.2 - 8.3.0.1 log4j ver. 2.11.0

8.2 - Hotfix KB UPD208534

KB article UPD466241 Download and replace vulnerable Log4j jars  (Removed JndiLookup.class from classpath)
NetBackup OpsCenter 8.3.0.2 - 9.1.0.1 log4j ver. 2.13.3

8.3.0.2 - Hotfix KB UPD365767

9.0.0.1 - Hotfix KB UPD871211

9.1.0.1 - Hotfix KB UPD175750

KB article UPD532246 Download and replace vulnerable Log4j jars  (Removed JndiLookup.class from classpath)

NetBackup Self Service

7.7 – 9.1

  No action needed

N/A

Not impacted by CVE-2021-44228 and CVE-2021-45046
 

NetBackup Resiliency Platform

3.4 - 4.0

     

KB article UPD393946

Download and replace vulnerable Log4j jar

NetBackup CloudPoint

8.3 - 9.1.0.1

 

CP 8.3 - 8.3.0.2 - Hotfix KB UPD778762

CP 9.0 - 9.0.0.1 - Hotfix KB UPD275978

CP 9.1 - 9.1.0.1 - Hotfix KB UPD745194

KB article #100052096

Remove vulnerable class from Log4j jar
CloudPoint 2.2.2   - KB article 100052096 Remove vulnerable class from Log4j jar

Aptare IT Analytics

10.4 - 10.6

 

10.5 P13 - Hotfix KB
UPD98898

10.6 P8 - Hotfix KB
UPD298575

KB #100052081

 

 


 


Frequently Asked Questions

 

1. Are older versions of NetBackup vulnerable to CVE-2021-44228?

Answer:  No; see the table above

 

2. Are the versions of NetBackup  and OpsCenter 8.1.1 or older vulnerable to log4j 1.x CVE-2021-4104 (JMSAppender) or CVE-2019-17571 (SocketServer)?

Answer: The NetBackup and OpsCenter engineering teams have assessed both CVE-2021-4104 (JMSAppender) and CVE-2019-17571 (SocketServer)  as well as the use of log4j 1.x in NetBackup and OpsCenter versions 7.7.1 – 8.1.1.  Based on this assessment the engineering teams have determined that these vulnerabilities are not exploitable in NetBackup and OpsCenter. NetBackup and OpsCenter do not use the JMSAppender or SocketServer functionality of log4j1.x .NetBackup and OpsCenter Versions > 8.1.1 does not use log4j1.x and therefore these CVEs are not applicable on those versions.

 

3. Are NetBackup Media Servers vulnerable to CVE-2021-44228 or CVE-2021-45046?

Answer: No, NetBackup media serves do not use log4j 2.x, and are NOT vulnerable to CVE-2021-44228 or CVE-2021-45046.

If 7.7.1 – 8.2 media servers are also used VMware access hosts, see FAQ #4 below.

MSDP Media servers on NetBackup Appliance versions 3.1.2 and 3.2  are addressed in KB #100052062. Media Servers using MSDP at 8.1.2, 8.2 are not affected by this vulnerability. See FAQ #5 regarding CloudCatalyst.

 

4. Are NetBackup Clients vulnerable to CVE-2021-44228 or CVE-2021-45046? 

Answer: No, NetBackup clients do not use log4j 2.x, and are NOT vulnerable to CVE-2021-44228 or CVE-2021-45046.

NetBackup clients between 7.7.1 – 8.2 have log4j 1.x components are used as part of VMware SDK for Virtual Machine discovery, and are also NOT affected by CVE-2021-44228 or CVE-2021-45046.

Additional information regarding packaged VMware components.

VMware backups/restore operations would be using jars in /usr/openv/lib/java or <Install>\Veritas\NetBackup\Bin folder, if media server is also playing the role of discovery host, these jars will be needed. If media server or client must function as a VMWare backup host, do not remove.

7.7.3-8.1  - Standalone log4j-1.2.17.jar file is in the NBU path
NOT affected by CVE-2021-44228 or CVE-2021-45046. 

Do not remove this file on a Primary (Master) Server version 8.1 or 8.1.1
If a media server or client must function as a VMWare backup host, do not remove.
If a media server or client is not a VMWare backup host, this is safe to remove.

8.1.1-8.3 -Standalone log4j-1.2.17 is embedded in vsphere-samples-6.6.1.jar
NOT affected by CVE-2021-44228 or CVE-2021-45046.

If media server or client must function as a VMWare backup host, do not remove.
If the system (Master, Media or Client) is not a VMWare backup host, this is safe to remove.

Note: Even if a NBU Primary server IS NOT a VMWare backup host, and has the log4j-1.2.17.jar files, removal of those files will prevent nbwebservices from  starting and the NetBackup Administration Console will not function.

8.3+ onwards - No Java/JAR dependency (vsphere_samples_6.6.1 and other JARs removed from NBU)

 

5. Is NetBackup CloudCatalyst impacted?

Answer:  No.  Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running "rm -f /usr/openv/pdde/pdes/pdes.tar.gz".  NetBackup Cloud Catalyst only applies to NetBackup 8.1 through 8.3.0.1.

 

6. Can you clarify the steps needed for Veritas NetBackup Appliances?

Answer: Yes. Each role of a NetBackup Appliance will require mitigation where log4j libraries are separately being used, which require multiple tasks.

  • A NetBackup appliance that is also a Primary Server will need to apply the procedure for NetBackup mitigation as well as NetBackup Appliance mitigation in KB100052082

  • A NetBackup Appliance that is only a media server 3.3.0.1 or higher only needs to follow the same mitigation for NetBackup Appliances. 

  • A NetBackup Appliance that is a MSDP host for 3.1.2 or 3.2 has additional steps addressed in KB100052062.    NetBackup Appliances running 3.1.1 and prior should seek to upgrade in order to follow mitigation steps available.

 

7. What steps are needed to mitigate vulnerable log4j libraries when NetBackup (includes CloudPoint and Resiliency Plaform) are deployed from Cloud Marketplace solution templates?

Answer: Cloud Marketplace customers may apply mitigation steps stated in this or linked articles depending on the product component - NetBackup Server, NetBackup CloudPoint, or NetBackup Resiliency Platform (VRP). Cloud Marketplace images will be republished with the latest fixes for the most recent product releases with an updated version identified.

 

8. If the mitigation steps to manually replace the vulnerable log4j-core-2.11.0.jar and log4j-core-2.13.3.jar have been already done on the master/primary servers, do we have to back out of (uninstall) that procedure before installing the EEB's that will upgrade the jar file(s) to log4j-core-2.17.1.jar

Answer: No, the previously applied Mitigation steps do not need to be rolled back. The new Remediation EEBs upgrade Log4j to 2.17.1 and can be installed regardless of whether previous mitigations were deployed.

 

9. Is the "Java Remote Administration Console" vulnerable to CVE-2021-44228 or CVE-2021-45046? 

Answer: No.The "Java Remote Administration Console" is not impacted and are NOT vulnerable to CVE-2021-44228 or CVE-2021-45046.

 

10. The following files are being flagged when using a vulnerability scanner on a NetBackup media server. Can these Log4j files on the media server be removed ? 

Answer: Outside of the use-cases for Log4j on VMware backup host (covered in FAQ #3 and #4), these JAR and WAR files can be removed from the media server to limit alerts being raised by scanners. If these files exist on a media server, they may be removed from the media server. Create a backup copy of all the files that are being removed:

# tar cfvz /tmp/log4j-tainted-files.tar.gz \

/usr/openv/wmc/lib/log4j-web-2.11.0.jar  \

/usr/openv/wmc/lib/log4j-core-2.11.0.jar                                            \

/usr/openv/wmc/lib/log4j-api-2.11.0.jar \

/usr/openv/nbwmc.tar.gz \

/usr/openv/netbackup/web/netbackup.war \

/usr/openv/netbackup/web/cssclegacy.war \

/usr/openv/netbackup/web/nbwss.war \

/usr/openv/wmc/webserver/webapps_api_cssc/ROOT.war \

/usr/openv/wmc/webserver/webapps_api/netbackup.war \

/usr/openv/wmc/webserver/webapps_api/nbwss.war \

/usr/openv/wmc/webserver/webapps/nbwebservice.war \

/usr/openv/wmc/war/nbwebservice.war;

 

Files to be removed:

  • jar files to be removed:
    • rm /usr/openv/wmc/lib/log4j-web-2.11.0.jar
    • rm /usr/openv/wmc/lib/log4j-core-2.11.0.jar
    • rm /usr/openv/wmc/lib/log4j-api-2.11.0.jar
  • tar.gz files to be removed:
    •     rm /usr/openv/nbwmc.tar.gz
  • war files to be removed:
    • rm /usr/openv/netbackup/web/netbackup.war
    • rm /usr/openv/netbackup/web/cssclegacy.war
    • rm /usr/openv/netbackup/web/nbwss.war
    • rm /usr/openv/wmc/webserver/webapps_api_cssc/ROOT.war
    • rm /usr/openv/wmc/webserver/webapps_api/netbackup.war
    • rm /usr/openv/wmc/webserver/webapps_api/nbwss.war
    • rm /usr/openv/wmc/webserver/webapps/nbwebservice.war
    • rm /usr/openv/wmc/war/nbwebservice.war

Optionally, the following non-jar log4j2.x files and remaining directories may also be backed up and removed

  • Non-jar log4j2.x files to be removed:
    •  rm /usr/openv/wmc/webserver/lib/log4j2.properties
    • rm /usr/openv/wmc/config/log4j2.properties
  • Entire directories to be removed:
    • rm -fr /usr/openv/wmc/webserver/webapps_api/nbwss
    • rm -fr /usr/openv/wmc/webserver/webapps_api/netbackup
    • rm -fr /usr/openv/wmc/webserver/webapps/nbwebservice

 

Other Questions?

For any other questions regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).

 

 


[Last Updated 2022-01-20 0500 UTC]

Revision History (latest updates on top)

  • Updated FAQ#4 wording to remove customer confusion regarding log4j-1.2.17 version jars that are not included in the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
  • Updated FAQ#10 wording to remove customer confusion about whether or not /usr/openv/wmc folder exists on 9.2 and 9.1 BYO media servers.
  • Added FAQ #10 regarding scanners flagging files on NBU media servers
  • Added FAQ #9 for JAVA UI
  • Updated text in FAQ #8
  • NetBackup products are NOT impacted by CVE-2021-44832
  • Updated guidance for NetBackup Support (files found in webapps_api_cssc path) as an Internal Note
  • Updated link for 8.3.0.2 Hotfix
  • Added a row to separate Veritas CloudPoint from NetBackup Cloudpoint
  • Added CloudPoint 8.3 and 9.0.0.1 Download Center HotFix Update ID's links to the table above.
  • Changed EEB version for 8.3.0.2 EEB 4058562 to Version 3
  • Added NetBackup Primary server BYO, Flex, and NetBackup Appliance Download Center Hotfix link for 8.1.2 / 3.1.2 EEB 3983309 Version 4
  • Added NetBackup Primary server BYO, Flex, and NetBackup Appliance Download Center Hotfix link for 8.2 / 3.2 EEB 4021776 Version 3
  • Added NetBackup Primary server BYO, Flex, and NetBackup Appliance Download Center Hotfix link for 9.0.0.1 / 4.0.0.1 EEB 4058561 Version 1
  • Added NetBackup Primary server BYO, Flex, and NetBackup Appliance Download Center Hotfix link for 9.1.0.1 / 4.1.0.1 EEB 4058560 Version 2
  • Changed EEB version for 8.3.0.2 EEB 4058562 to Version 2 due to issues with version 1
  • Added Download Center update names and links for OpsCenter 8.2, 8.3.0.2, 9.0.0.1, and 9.1.0.1 removing the etrack numbers.
  • Added 8.3.0.1 EEB ET for NBU primary servers since it was made available via support call
  • Updated severity/base, and vector for CVE-2021-45056
  • Updated FAQ #4 and also reformatted table
  • Added to FAQ question/answer regarding applying EEB even if mitigation steps have been put into place.  The EEB CAN BE installed even if mitigation steps have already been applied.
  • Removed manual mitigation steps for NetBackup primary/master servers
  • Removed manual mitigation steps for NetBackup primary/master appliance servers.
  • Added line to document addressing CVE-2021-45105 fixed in 2.17.0 (not exploitable in NBU)
  • Added OpsCenter 8.2 and 8.3.0.2 EEB numbers to the table to show which EEB to use instead of doing manual mitigation steps.
  • Provided download center Update ID link for Veritas Resiliency Platform versions 3.4 to 4.0 in table. Removed reference to KB article #100052109
  • Provided download center Update ID's for manual jar file replacements for OpsCenter servers (8.1.2-8.3.0.1 and 8.3.0.2-9.1.0.1) 
  • Provided download center Update ID's for manual jar file replacements for NetBackup BYO primary servers (8.1.2-8.3.0.1 and 8.3.0.2-9.1.0.1) 
  • Updated link for mitigation for Aptare linked KB 100052081
  • Updated rollback instructions for MSDP on NB Appliance in linked KB 100052062
  • Added note regarding CVE-2021-45046 - Dec 14, 2021
  • Updated steps for NetBackup container on Flex Appliance 
  • Added FAQ about media servers, clients and older revision software 
  • Added note – updating table format; adding non-impacted products
  • Added link to steps for mitigation for NetBackup OpsCenter - KB 100052100
  • New link for log4j mitigation of NB Primary Server container on Flex Appliance - KB 100052084
  • Added link to steps for mitigation for CloudPoint 2.2.2 - KB 100052083
  • Added link to steps for mitigation for Media Server Deduplication Pools - KB 100052062
  • Updated mitigation steps for NetBackup Resiliency to include versions 3.4-3.5
  • Added mitigation steps for NetBackup Master/Primary software container on Flex Appliance
  • Added mitigation steps for NetBackup Resiliency/Veritas Resiliency Platform 3.6 - 4.0  KB 100052109
  • CloudPoint instructions - Added steps to identify current version of CloudPoint 8.3
  • Added note - regarding startup errors seen for extraneous space after \ or from copy/paste errors
  • Added note - changes to be made on both active and inactive nodes for failover systems
  • Initial response regarding CVE-2021-44228 - Dec 10, 2021

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. 

 

Related Downloads

Impact of CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0
Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup Server Versions 8.3.0.2 - 9.1.0.1
NetBackup 9.0.0.1 Hotfix - NetBackup Server 2.17.1 Apache Log4j addressing CVE-2021-44228 and CVE-2021-45046 Vulnerability (Etrack - 4058561)
NetBackup OpsCenter 8.3.0.2 Hotfix - VTS22-009 Security Advisory and Apache Log4J 2.17.1 (Etrack - 4058556)
NetBackup CloudPoint 9.0.0.1 Patch - Fix for Apache logging vulnerability for common-objects and IDM
Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup Server Versions 8.1.2 - 8.3.0.1
NetBackup OpsCenter 9.0.0.1 Hotfix - VTS22-009 Security Advisory and Apache Log4J 2.17.1 (Etrack - 4058555)
NetBackup 9.1.0.1 Hotfix - NetBackup Server 2.17.1 Apache Log4j addressing CVE-2021-44228 and CVE-2021-45046 Vulnerability (Etrack 4058560)
Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup OpsCenter Versions 8.1.2 - 8.3.0.1
NetBackup 8.2 / 3.2 HotFix - EEB Bundle for nbdeployutil, netbackup.war, libVdb, and 2.17.1 Apache Log4j addressing CVE-2021-44228 and CVE-2021-45046 (Etrack 4021776)
Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup OpsCenter Versions 8.3.0.2 - 9.1.0.1
NetBackup CloudPoint 8.3 Patch - Fix for Apache logging vulnerability for common-objects and IDM
NetBackup 8.1.2 Hotfix - nbdeployutil and Smart Meter bundle with CVE-2021-44228 and CVE-2021-45046 Apache Log4j 2.17.1 fix (Etrack 3983309)
NetBackup OpsCenter 9.1.0.1 Hotfix - VTS22-009 Security Advisory and Apache Log4J 2.17.1 (Etrack - 4058553)
NetBackup OpsCenter 8.2 Hotfix - OpsCenter CVE-2021-44228 and CVE-2021-45046 Apache Log4j Vulnerability(Etrack - 4058565)

Was this content helpful?