Impact of CVE-2021-44228 Apache Log4j Vulnerability on MSDP - Media Server Deduplication Engine

Impact of CVE-2021-44228 Apache Log4j Vulnerability on MSDP - Media Server Deduplication Engine

Article: 100052062
Last Published: 2022-01-01
Ratings: 5 8
Product(s): NetBackup

Description

The Vulnerability only impacts NetBackup Appliance MSDP 3.1.2 and 3.2.

About CVE-2021-44228, CVE-2021-45046 Apache Log4j Vulnerabilities 

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. 

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) and a denial of service vulnerability (CVE-2021-45046) affecting Log4j versions 2.0-beta9 to 2.15. A remote attacker could exploit these vulnerabilities to take control of an affected system.   

More information is available from the Apache Announcement and recommends upgrading to the latest Log4j 2.16.0 or applying recommended mitigations immediately. 

Issue 

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. 

Severity: Critical 
Base CVSS Score: 10.0 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 

CVE-2021-45046: Apache Log4j2 JNDI features do not protect against malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.  

Severity: Low 
Base CVSS Score: 3.7 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 

 

For appliance 3.1.2 and 3.2, to mitigate the Log4j Vulnerability for MSDP, please follow the steps below:

 1. Login to appliance CLISH and get to elevated shell:

Main_Menu> Support
Entering NetBackup support view...

.Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
maintenance-!> /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh;elevate

 2. Make a backup copy of the file /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar by running:
# cp /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar.orig.log4j2

Remove JndiLookup class by running: 

# zip -q -d /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 3. Verify the class is not present by running:

unzip -l /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar | grep JndiLookup

There should be no output containing JndiLookup.

4. Verrify if the service is running or not:

# bpps -a | grep pdde-es

# systemctl status pdde-es

If the service is NOT running, skip Step 5.  

5. Restart pdde-es service by running

# systemctl restart pdde-es.service

Note: Existing Instant Access VMs are not affected by the steps. Instant Access functions will continue to work after the steps.

 

For Appliance upgraded from 3.1.2 or 3.2, Log4j is not used any more for MSDP and please follow the steps below in case the Log4j files are not completely removed during upgrade:

 1. Get elevated shell like above.

 2. run the command "rm -rf /usr/openv/pdde/pdes"

 

For NetBackup BYO Server (Redhat only) 8.1.2 and 8.2, the Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running:

rm -f /usr/openv/pdde/pdes/pdes.tar.gz

For NetBackup BYO MSDP Server 8.3 and later, pdes.tar.gz is removed from the rpm.

For NetBackup Cloud Catalyst Media Servers the Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running:  

# rm -f /usr/openv/pdde/pdes/pdes.tar.gz

 

NOTES:

If a 3.1.2 or 3.2, customer removes  pdes.tar.gz, during later upgrade, there will be a warning in pdde installation trace file,  /tmp/install_VRTSpddes.rpm_trace.<pid>:

warning: file /usr/openv/pdde/pdes/pdes.tar.gz: remove failed: No such file or directory

This warning does not affect the upgrade.

 

Questions

For any other questions regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).

Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Was this content helpful?