Impact of Apache Log4j Vulnerabilities on NetBackup Appliances

Impact of Apache Log4j Vulnerabilities on NetBackup Appliances

Article: 100052082
Last Published: 2022-01-23
Ratings: 5 13
Product(s): Appliances

IMPORTANT NOTES

Vulnerability scanners may still report the Log4j vulnerabilities even after applying the provided hot fixes or mitigation steps. This is expected as most scanners are not designed to account for the mitigations.

If the parameter “-Dlog4j2.formatMsgNoLookups=true” was added per previous advisement from this technote, it can remain in place. This is based on the Apache advisory

This Tech note also applies to NetBackup Virtual Appliances.

VULNERABILITIES

CVE-2021-44228

Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. Fixed in Log4j 2.15.0. Apache recommends upgrading to Log4j 2.15.0 or applying recommended mitigations immediately.

CVE-2021-45046

Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations. Fixed in Log4j 2.16.0. Apache recommends upgrading to Log4j 2.16.0 or applying recommended mitigations immediately. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

CVE-2021-45105

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.  Fixed in Log4j 2.17.0. Apache recommends upgrading to Log4j 2.17.0. NetBackup Appliances are not impacted by this vulnerability.

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.  Fixed in Log 4j 2. Apache recommends upgrading to Log4j 2. NetBackup Appliances are not exploitable by this vulnerability.

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.  Fixed in Log4j 2.17.1. Apache recommends upgrading to Log4j 2.17.1. NetBackup Appliances are not exploitable by this vulnerability.

 

For CVE-2021-44228 and CVE-2021-45046, Veritas is providing the following:

  • NetBackup Appliance Mitigation Hot Fixes that remove the JNDI Lookup class in Appliance-specific component.
  • NetBackup Appliance Remediation Hot Fixes (for 3.2 and above) that update Log4j version to 2.17.1 (Available in 4.0.0.1 MR3; Work in progress for other releases)
  • NetBackup Remediation Hot Fixes that update Log4j version to 2.16.0 or 2.17.1 in NetBackup application component used by NetBackup Appliances. This is true for NetBackup 8.1.2 (2.16.0) and above (2.17.1) except for 8.3/9.0/9.1 which corresponds to NetBackup Appliance 4.0/4.1 (there is no 3.3 version). For 8.3/9.0/9.1 releases, NetBackup is providing a mitigation only (remove JNDI Lookup class).

Given the above, note the following:

  • NetBackup Appliance versions 3.1.2/3.2 (including any MR)/3.3.0.x (including any MR)/4.0.0.1 MR1 or MR2/4.1.0.1 MR1 require two Hot Fixes (NetBackup Appliance Hot Fix and NetBackup Hot Fix) which can be installed in any order
  • NetBackup Appliance versions 4.0 (no MR)/4.1 (no MR) require one Hot Fix (NetBackup Appliance Hot Fix) and one mitigation for NetBackup. 
  • NetBackup Appliance versions 3.0/3.1/3.1.1 require one Hot Fix (NetBackup Appliance Hot Fix).
  • To get Log4j 2.16.0 version for NetBackup, appliances running 4.0/4.1 must first install (the latest) MR.

 

REQUIRED HOT FIX MATRIX FOR NETBACKUP APPLIANCES AND NETBACKUP VIRTUAL APPLIANCES

NetBackup Appliance Version

NetBackup Appliance

Mitigation Hot Fix

Required on Primary/Media

NetBackup Appliance

Remediation Hot Fix

Required on Primary/Media

NetBackup Remediation Hot Fix*

Required on Primary

Optional on Media**

4.1

Download here

Upgrade to 4.1.0.1 MR1 and then install Hot Fix

Follow mitigation here

4.1.0.1 MR1

Download here

In Progress

Download here

4.0

Download here

Upgrade to 4.0.0.1 MR3 

Follow mitigation here

4.0.0.1 MR1/4.0.0.1 MR2

Download here

Upgrade to 4.0.0.1 MR3 

Download here

3.3.0.1/3.3.0.1 MR1

3.3.0.1 MR2/3.3.01 MR3

Download here

In Progress

Download here

3.3.0.2 MR1/3.3.0.2 MR2

Download here

In Progress

Download here

3.2/3.2 MR1/3.2 MR2/3.2 MR3

Download here

In Progress

Download here

3.1.2

Download here

Will not provide

Download here

3.1.1

Download here

Will not provide

 

NOT APPLICABLE

3.1

Download here

Will not provide

3.0

Download here

Will not provide

* NetBackup Remediation Hot Fix not available for 4.0/4.1 

** NetBackup Hot Fix does not need to be applied on Media server, since Log4j library, although present on Media server, is dormant and not used. Note however that if NetBackup Hot Fix is not applied on Media Server, Vulnerability scanners could flag this.

If for some reason you are not able to install the NetBackup Appliance Hot Fix, you can follow the steps below to manually remove the JNDI Lookup class. If you have previously manually removed the JNDI Lookup class, there is no need to install the NetBackup Appliance Hot Fix.

MITIGATION STEPS TO REMOVE JNDI LOOKUP CLASS (Only needed if NetBackup Appliance Hot Fix is not being installed)

1) Login into the Appliance command line shell as an Administrator 

Main_Menu> Support
Entering NetBackup support view..

Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
maintenance-!> /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh;elevate

2) Stop NetBackup Appliance Services to add new log4j parameter setting

as-collector stop

as-analyzer stop

as-alertmanager stop

as-transmission stop

service tomcat-vxos stop

3) Update JndiLookup Class 

for log4jcore in `find /opt -name \*log4j\*core\*.jar 2> /dev/null`;do echo “$log4jcore”; zip -q -d $log4jcore org/apache/logging/log4j/core/lookup/JndiLookup.class;done

     Example Output:

/opt/autosupport/fileuploader/lib/log4j-core-2.13.2.jar 

/opt/autosupport/analyzer/lib/log4j-core-2.13.2.jar 

/opt/autosupport/alertmanager/lib/log4j-core-2.13.2.jar 

/opt/autosupport/transmission/lib/log4j-core-2.13.2.jar 

/opt/apache-tomcat/vxos/webapps/appliance/WEB-INF/lib/log4j-core-2.13.3.jar 

/opt/apache-tomcat/vxos/webapps/appliancews/WEB-INF/lib/log4j-core-2.13.3.jar 

/opt/apache-tomcat/vxos/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.3.jar 

/opt/apache-tomcat/vxos/webapps/ascws/WEB-INF/lib/log4j-core-2.13.2.jar

4) Start NetBackup Appliance Services with new log4j parameter setting

service  tomcat-vxos start

as-transmission start

as-alertmanager start

as-analyzer start

as-collector start

 

To check if JNDI Lookup class is removed or not, use the following script

          for i in `find /opt -name \*log4j\*core\*.jar`;do unzip -l $i | grep JndiLookup;done

 

OTHER NOTES

Note that if any of the following NetBackup Appliance war files are updated, the NetBackup Appliance Hot Fix will need to be rolled back and re-installed. This is not an expected scenario as it requires root access.

List of war files:

/opt/autosupport/webservice/ascws.war

/opt/apache-tomcat/vxos/webapps/ascws.war

/opt/apache-tomcat/vxos/webapps/appliancews.war

/opt/apache-tomcat/vxos/webapps/appliance.war

/opt/apache-tomcat/vxos/webapps/fcr-webservice-0.1.0.war

/opt/VRTSnbappgui/appliancews.war

/opt/VRTSnbappgui/appliance.war

 

  Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

 

 

 

Was this content helpful?