IMPORTANT NOTES
Vulnerability scanners may still report the Log4j vulnerabilities even after applying the provided mitigation hot fixes or mitigation steps. This is expected as most scanners are not designed to account for the mitigations.
If the parameter “-Dlog4j2.formatMsgNoLookups=true” was added per previous advisement from this technote, it can remain in place. This is based on the Apache advisory.
This Tech note also applies to NetBackup Virtual Appliances.
VULNERABILITIES
Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. Fixed in Log4j 2.15.0. Apache recommends upgrading to Log4j 2.15.0 or applying recommended mitigations immediately.
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations. Fixed in Log4j 2.16.0. Apache recommends upgrading to Log4j 2.16.0 or applying recommended mitigations immediately. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation. Fixed in Log4j 2.17.0. Apache recommends upgrading to Log4j 2.17.0. NetBackup Appliances are not impacted by this vulnerability.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Fixed in Log 4j 2. Apache recommends upgrading to Log4j 2. NetBackup Appliances are not exploitable by this vulnerability.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. Fixed in Log4j 2.17.1. Apache recommends upgrading to Log4j 2.17.1. NetBackup Appliances are not exploitable by this vulnerability.
For CVE-2021-44228 and CVE-2021-45046, Veritas is providing the following:
- NetBackup Appliance Mitigation Hot Fixes that remove the JNDI Lookup class in Appliance-specific component.
- NetBackup Appliance Remediation Hot Fixes (for 3.2 and above) that update Log4j version to 2.17.1
- NetBackup Remediation Hot Fixes that update Log4j version to 2.16.0 or 2.17.1 in NetBackup application component used by NetBackup Appliances. This is true for NetBackup 8.1.2 (2.16.0) and above (2.17.1) except for 8.3/9.0/9.1 which corresponds to NetBackup Appliance 4.0/4.1 (there is no 3.3 version). For 8.3/9.0/9.1 releases, NetBackup is providing a mitigation only (remove JNDI Lookup class).
Where available, it is strongly recommended to install the NetBackup Appliance Remediation Hot Fixes instead of the NetBackup Appliance Mitigation Hot Fixes.
The NetBackup Appliance Remediation Hot Fixes can be installed on top of the Mitigation Hot Fixes; there is no need to first uninstall the Mitigation Hot Fixes.
Given the above, note the following:
- NetBackup Appliance versions 3.1.2/3.2 (including any MR)/3.3.0.x (including any MR)/4.0.0.1 MR1 or MR2/4.1.0.1 MR1 require two Hot Fixes (NetBackup Appliance Hot Fix and NetBackup Hot Fix) which can be installed in any order
- NetBackup Appliance versions 4.0 (no MR)/4.1 (no MR) require one Hot Fix (NetBackup Appliance Mitigation Hot Fix) and one mitigation for NetBackup. To get the NetBackup/NetBackup Appliance Remediation Hot Fixes, appliances running 4.0 or 4.1 must upgrade to 4.0.0.1 MR3 or 4.1.0.1 MR1 (and install Hot Fix) respectively.
- NetBackup Appliance versions 3.0/3.1/3.1.1 require one Hot Fix (NetBackup Appliance Mitigation Hot Fix).
REQUIRED HOT FIX MATRIX FOR NETBACKUP APPLIANCES AND NETBACKUP VIRTUAL APPLIANCES
NetBackup Appliance Version |
NetBackup Appliance Mitigation Hot Fix Required on Primary/Media |
NetBackup Appliance Remediation Hot Fix Required on Primary/Media |
NetBackup Remediation Hot Fix* Required on Primary Optional on Media** |
4.1/4.1.0.1 MR1 |
|
Upgrade to 4.1.0.1 MR2 | Included in 4.1.0.1 MR2 |
4.0/4.0.0.1 MR1/4.0.0.1 MR2 |
|
Upgrade to 4.0.0.1 MR3 |
Download here |
3.3.0.1/3.3.0.1 MR1 3.3.0.1 MR2/3.3.0.1 MR3 |
|
Upgrade to 3.3.0.2 MR2 and then install Hot Fix |
Download here |
3.3.0.2 MR1/3.3.0.2 MR2 |
|
Upgrade to 3.3.0.2 MR2 and then install Hot Fix |
Download here |
3.2/3.2 MR1/3.2 MR2/3.2 MR3 |
|
Upgrade to 3.2 MR3 and install Hot Fix from here |
Download here |
3.1.2 |
Download here |
No plan to provide |
Download here |
3.1.1 |
Download here |
No plan to provide |
NOT APPLICABLE |
3.1 |
Download here |
No plan to provide |
|
3.0 |
Download here |
No plan to provide |
** NetBackup Hot Fix does not need to be applied on Media server, since Log4j library, although present on Media server, is dormant and not used. Note however that if NetBackup Hot Fix is not applied on Media Server, Vulnerability scanners could flag this.
If for some reason you are not able to install the NetBackup Appliance Hot Fix, you can follow the steps below to manually remove the JNDI Lookup class. If you have previously manually removed the JNDI Lookup class, there is no need to install the NetBackup Appliance Hot Fix.
MITIGATION STEPS TO REMOVE JNDI LOOKUP CLASS (Only needed if NetBackup Appliance Hot Fix is not being installed)
1) Login into the Appliance command line shell as an Administrator
Main_Menu> Support
Entering NetBackup support view..
Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
maintenance-!> /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh;elevate
2) Stop NetBackup Appliance Services to add new log4j parameter setting
as-collector stop
as-analyzer stop
as-alertmanager stop
as-transmission stop
service tomcat-vxos stop
3) Update JndiLookup Class
for log4jcore in `find /opt -name \*log4j\*core\*.jar 2> /dev/null`;do echo “$log4jcore”; zip -q -d $log4jcore org/apache/logging/log4j/core/lookup/JndiLookup.class;done
Example Output:
/opt/autosupport/fileuploader/lib/log4j-core-2.13.2.jar
/opt/autosupport/analyzer/lib/log4j-core-2.13.2.jar
/opt/autosupport/alertmanager/lib/log4j-core-2.13.2.jar
/opt/autosupport/transmission/lib/log4j-core-2.13.2.jar
/opt/apache-tomcat/vxos/webapps/appliance/WEB-INF/lib/log4j-core-2.13.3.jar
/opt/apache-tomcat/vxos/webapps/appliancews/WEB-INF/lib/log4j-core-2.13.3.jar
/opt/apache-tomcat/vxos/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.3.jar
/opt/apache-tomcat/vxos/webapps/ascws/WEB-INF/lib/log4j-core-2.13.2.jar
4) Start NetBackup Appliance Services with new log4j parameter setting
service tomcat-vxos start
as-transmission start
as-alertmanager start
as-analyzer start
as-collector start
To check if JNDI Lookup class is removed or not, use the following script
for i in `find /opt -name \*log4j\*core\*.jar`;do unzip -l $i | grep JndiLookup;done
OTHER NOTES
Note that if any of the following NetBackup Appliance war files are updated, the NetBackup Appliance Hot Fix will need to be rolled back and re-installed. This is not an expected scenario as it requires root access.
List of war files:
/opt/autosupport/webservice/ascws.war
/opt/apache-tomcat/vxos/webapps/ascws.war
/opt/apache-tomcat/vxos/webapps/appliancews.war
/opt/apache-tomcat/vxos/webapps/appliance.war
/opt/apache-tomcat/vxos/webapps/fcr-webservice-0.1.0.war
/opt/VRTSnbappgui/appliancews.war
/opt/VRTSnbappgui/appliance.war
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.