The Vulnerability only impacts NetBackup Appliance MSDP 3.1.2 and 3.2.
About CVE-2021-44228, CVE-2021-45046 Apache Log4j Vulnerabilities
Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) and a denial of service vulnerability (CVE-2021-45046) affecting Log4j versions 2.0-beta9 to 2.15. A remote attacker could exploit these vulnerabilities to take control of an affected system.
More information is available from the Apache Announcement and recommends upgrading to the latest Log4j 2.16.0 or applying recommended mitigations immediately.
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Base CVSS Score: 10.0
CVE-2021-45046: Apache Log4j2 JNDI features do not protect against malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.
Base CVSS Score: 3.7
For appliance 3.1.2 and 3.2, to mitigate the Log4j Vulnerability for MSDP, please follow the steps below:
1. Login to appliance CLISH and get to elevated shell:
Entering NetBackup support view...
<!-- Maintenance Mode --!>
2. Make a backup copy of the file /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar by running:
# cp /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar.orig.log4j2
Remove JndiLookup class by running:
# zip -q -d /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Verify the class is not present by running:
unzip -l /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar | grep JndiLookup
There should be no output containing JndiLookup.
4. Verrify if the service is running or not:
# bpps -a | grep pdde-es
# systemctl status pdde-es
If the service is NOT running, skip Step 5.
5. Restart pdde-es service by running
# systemctl restart pdde-es.service
Note: Existing Instant Access VMs are not affected by the steps. Instant Access functions will continue to work after the steps.
For Appliance upgraded from 3.1.2 or 3.2, Log4j is not used any more for MSDP and please follow the steps below in case the Log4j files are not completely removed during upgrade:
1. Get elevated shell like above.
2. run the command
"rm -rf /usr/openv/pdde/pdes"
For NetBackup BYO Server (Redhat only) 8.1.2 and 8.2, the Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running:
rm -f /usr/openv/pdde/pdes/pdes.tar.gz
For NetBackup BYO MSDP Server 8.3 and later, pdes.tar.gz is removed from the rpm.
For NetBackup Cloud Catalyst Media Servers the Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running:
# rm -f /usr/openv/pdde/pdes/pdes.tar.gz
If a 3.1.2 or 3.2, customer removes pdes.tar.gz, during later upgrade, there will be a warning in pdde installation trace file,
warning: file /usr/openv/pdde/pdes/pdes.tar.gz: remove failed: No such file or directory
This warning does not affect the upgrade.
For any other questions regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):