Impact of Apache Log4j Vulnerabilities on NetBackup Appliances

Article: 100052082
Last Published: 2022-03-02
Ratings: 6 15
Product(s): Appliances

IMPORTANT NOTES

Vulnerability scanners may still report the Log4j vulnerabilities even after applying the provided mitigation hot fixes or mitigation steps. This is expected as most scanners are not designed to account for the mitigations.

If the parameter “-Dlog4j2.formatMsgNoLookups=true” was added per previous advisement from this technote, it can remain in place. This is based on the Apache advisory

This Tech note also applies to NetBackup Virtual Appliances.

VULNERABILITIES

CVE-2021-44228

Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. Fixed in Log4j 2.15.0. Apache recommends upgrading to Log4j 2.15.0 or applying recommended mitigations immediately.

CVE-2021-45046

Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations. Fixed in Log4j 2.16.0. Apache recommends upgrading to Log4j 2.16.0 or applying recommended mitigations immediately. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

CVE-2021-45105

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.  Fixed in Log4j 2.17.0. Apache recommends upgrading to Log4j 2.17.0. NetBackup Appliances are not impacted by this vulnerability.

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.  Fixed in Log 4j 2. Apache recommends upgrading to Log4j 2. NetBackup Appliances are not exploitable by this vulnerability.

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.  Fixed in Log4j 2.17.1. Apache recommends upgrading to Log4j 2.17.1. NetBackup Appliances are not exploitable by this vulnerability.

 

For CVE-2021-44228 and CVE-2021-45046, Veritas is providing the following:

  • NetBackup Appliance Mitigation Hot Fixes that remove the JNDI Lookup class in Appliance-specific component.
  • NetBackup Appliance Remediation Hot Fixes (for 3.2 and above) that update Log4j version to 2.17.1 
  • NetBackup Remediation Hot Fixes that update Log4j version to 2.16.0 or 2.17.1 in NetBackup application component used by NetBackup Appliances. This is true for NetBackup 8.1.2 (2.16.0) and above (2.17.1) except for 8.3/9.0/9.1 which corresponds to NetBackup Appliance 4.0/4.1 (there is no 3.3 version). For 8.3/9.0/9.1 releases, NetBackup is providing a mitigation only (remove JNDI Lookup class).

Where available, it is strongly recommended to install the NetBackup Appliance Remediation Hot Fixes instead of the NetBackup Appliance Mitigation Hot Fixes.

The NetBackup Appliance Remediation Hot Fixes can be installed on top of the Mitigation Hot Fixes; there is no need to first uninstall the Mitigation Hot Fixes.

Given the above, note the following:

  • NetBackup Appliance versions 3.1.2/3.2 (including any MR)/3.3.0.x (including any MR)/4.0.0.1 MR1 or MR2/4.1.0.1 MR1 require two Hot Fixes (NetBackup Appliance Hot Fix and NetBackup Hot Fix) which can be installed in any order
  • NetBackup Appliance versions 4.0 (no MR)/4.1 (no MR) require one Hot Fix (NetBackup Appliance Mitigation Hot Fix) and one mitigation for NetBackup. To get the NetBackup/NetBackup Appliance Remediation Hot Fixes, appliances running 4.0 or 4.1 must upgrade to 4.0.0.1 MR3 or 4.1.0.1 MR1 (and install Hot Fix) respectively.
  • NetBackup Appliance versions 3.0/3.1/3.1.1 require one Hot Fix (NetBackup Appliance Mitigation Hot Fix).

REQUIRED HOT FIX MATRIX FOR NETBACKUP APPLIANCES AND NETBACKUP VIRTUAL APPLIANCES

NetBackup Appliance Version

NetBackup Appliance

Mitigation Hot Fix

Required on Primary/Media

NetBackup Appliance

Remediation Hot Fix

Required on Primary/Media

NetBackup Remediation Hot Fix*

Required on Primary

Optional on Media**

4.1/4.1.0.1 MR1

 

Upgrade to 4.1.0.1 MR2

Included in 4.1.0.1 MR2

4.0/4.0.0.1 MR1/4.0.0.1 MR2

 

Upgrade to 4.0.0.1 MR3 

Download here

3.3.0.1/3.3.0.1 MR1

3.3.0.1 MR2/3.3.0.1 MR3

 

Upgrade to 3.3.0.2 MR2 and then install Hot Fix

Download here

3.3.0.2 MR1/3.3.0.2 MR2

 

Upgrade to 3.3.0.2 MR2 and then install Hot Fix

Download here

3.2/3.2 MR1/3.2 MR2/3.2 MR3

 

Upgrade to 3.2 MR3 and install Hot Fix from here

Download here

3.1.2

Download here

No plan to provide

Download here

3.1.1

Download here

No plan to provide

 

NOT APPLICABLE

3.1

Download here

No plan to provide

3.0

Download here

No plan to provide

** NetBackup Hot Fix does not need to be applied on Media server, since Log4j library, although present on Media server, is dormant and not used. Note however that if NetBackup Hot Fix is not applied on Media Server, Vulnerability scanners could flag this.

If for some reason you are not able to install the NetBackup Appliance Hot Fix, you can follow the steps below to manually remove the JNDI Lookup class. If you have previously manually removed the JNDI Lookup class, there is no need to install the NetBackup Appliance Hot Fix.

MITIGATION STEPS TO REMOVE JNDI LOOKUP CLASS (Only needed if NetBackup Appliance Hot Fix is not being installed)

1) Login into the Appliance command line shell as an Administrator 

Main_Menu> Support
Entering NetBackup support view..

Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
maintenance-!> /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh;elevate

2) Stop NetBackup Appliance Services to add new log4j parameter setting

as-collector stop

as-analyzer stop

as-alertmanager stop

as-transmission stop

service tomcat-vxos stop

3) Update JndiLookup Class 

for log4jcore in `find /opt -name \*log4j\*core\*.jar 2> /dev/null`;do echo “$log4jcore”; zip -q -d $log4jcore org/apache/logging/log4j/core/lookup/JndiLookup.class;done

     Example Output:

/opt/autosupport/fileuploader/lib/log4j-core-2.13.2.jar 

/opt/autosupport/analyzer/lib/log4j-core-2.13.2.jar 

/opt/autosupport/alertmanager/lib/log4j-core-2.13.2.jar 

/opt/autosupport/transmission/lib/log4j-core-2.13.2.jar 

/opt/apache-tomcat/vxos/webapps/appliance/WEB-INF/lib/log4j-core-2.13.3.jar 

/opt/apache-tomcat/vxos/webapps/appliancews/WEB-INF/lib/log4j-core-2.13.3.jar 

/opt/apache-tomcat/vxos/webapps/ROOT/WEB-INF/lib/log4j-core-2.13.3.jar 

/opt/apache-tomcat/vxos/webapps/ascws/WEB-INF/lib/log4j-core-2.13.2.jar

4) Start NetBackup Appliance Services with new log4j parameter setting

service  tomcat-vxos start

as-transmission start

as-alertmanager start

as-analyzer start

as-collector start

 

To check if JNDI Lookup class is removed or not, use the following script

          for i in `find /opt -name \*log4j\*core\*.jar`;do unzip -l $i | grep JndiLookup;done

 

OTHER NOTES

Note that if any of the following NetBackup Appliance war files are updated, the NetBackup Appliance Hot Fix will need to be rolled back and re-installed. This is not an expected scenario as it requires root access.

List of war files:

/opt/autosupport/webservice/ascws.war

/opt/apache-tomcat/vxos/webapps/ascws.war

/opt/apache-tomcat/vxos/webapps/appliancews.war

/opt/apache-tomcat/vxos/webapps/appliance.war

/opt/apache-tomcat/vxos/webapps/fcr-webservice-0.1.0.war

/opt/VRTSnbappgui/appliancews.war

/opt/VRTSnbappgui/appliance.war

 

  Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

 

 

 

Was this content helpful?