Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup CloudPoint Versions from 8.3 to 9.1.0.1

Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup CloudPoint Versions from 8.3 to 9.1.0.1

Article: 100052096
Last Published: 2021-12-21
Ratings: 1 0
Product(s): NetBackup, CloudPoint

Problem

Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup CloudPoint Versions 8.3 - 9.1.0.1

 

About CVE-2021-44228, CVE-2021-45046 and CVE 2021-45105 Apache Log4j Vulnerabilities 

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. 

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) and a denial of service vulnerability (CVE-2021-45046) affecting Log4j versions 2.0-beta9 to 2.15. A remote attacker could exploit these vulnerabilities to take control of an affected system.   

More information is available from the Apache Announcement and recommends upgrading to the latest Log4j 2.16.0 or applying recommended mitigations immediately. 

Issue: 

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. 

Severity: Critical 
Base CVSS Score: 10.0 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 

CVE-2021-45046: Apache Log4j2 JNDI features do not protect against malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.  

Severity: Low 
Base CVSS Score: 3.7 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 

CVE 2021-45105: Apache Log4j2 do not protect from uncontrolled recursion from self-referential lookups. Non-default Pattern Layout with a Context Lookup in logging configuration can result into denial of service (DOS) attack for malicious input data that contains a recursive lookup.

Severity: High 
Base CVSS Score: 7.5
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Note: CloudPoint is not impacted by CVE 2021-45105


Mitigation steps

For NetBackup CloudPoint version  8.3 - 9.1.0.1

For CloudPoint server with docker based installations

On the CloudPoint host execute the following steps 

1. Please ensure zip command is available. The commands "which zip" or "zip --version" can help determine the availability of this command. 

2. Please ensure unzip command is available. The commands "which unzip" or "unzip --version" can help determine the availability of this command. 

3. Create a new directory 'log4j_mitigation' and go to that directory. 

    # mkdir log4j_mitigation 

    # cd log4j_mitigation 

4. Create a temporary folder 'log4j_mitigation' inside flexsnap-idm container and copy original log4j-core jar inside it. 

       # docker exec flexsnap-idm bash -c "mkdir -p /log4j_mitigation; cp -f /opt/VRTScloudpoint/services/identity_manager_service/lib/log4j-core-* /log4j_mitigation" 

5. Copy log4j-core jar from flexsnap-idm container to host machine. 

        # docker cp flexsnap-idm:/log4j_mitigation/. . 

6. Remove JndiLookup class from log4j-core jar. 

       # for i in `find . -name "log4j-core*.jar"`; do echo File name = $i; zip -q -d $i org/apache/logging/log4j/core/lookup/JndiLookup.class; unzip -l $i | grep -i JNDI ; done 

7. Verify that running below command doesn't display "org/apache/logging/log4j/core/lookup/JndiLookup.class" confirming that class has been removed from the log4j-core*.jar. 

    # for i in `find . -name "log4j-core*.jar"`; do echo File name = $i; unzip -l $i | grep -i JNDILookup ; done 

8. Stop the Docker container 

        # docker stop flexsnap-idm 

9. Copy updated jar to flexsnap-idm container. 

        # docker cp . flexsnap-idm:/opt/VRTScloudpoint/services/identity_manager_service/lib/ 

10. Check the version of CloudPoint to use in the next step.  

     # docker ps -a| grep flexsnap-idm 

11.Commit the changes 

    # docker commit flexsnap-idm veritas/flexsnap-idm:<version of CP> 

12. Restart the container 

     # docker restart flexsnap-idm 

Rollback steps: 

  1. Enter into flexsnap-idm container 

      # docker exec -it flexsnap-idm bash 

  1. Copy original file to lib folder and exit from container 

          # cp /log4j_mitigation/log4j-core* /opt/VRTScloudpoint/services/identity_manager_service/lib/ 

     # exit 

  1. Commit the changes from CloudPoint host 

           # docker commit flexsnap-idm veritas/flexsnap-idm:<version of CP> 

  1. Restart the container 

          # docker restart flexsnap-idm 

For CloudPoint server with podman based installations

On the CloudPoint host execute the following steps 

1. Please ensure zip command is available. The commands "which zip" or "zip --version" can help determine the availability of this command. 

2. Please ensure unzip command is available. The commands "which unzip" or "unzip --version" can help determine the availability of this command. 

3. Create a new directory 'log4j_mitigation' and go to that directory. 

        # mkdir log4j_mitigation 

    # cd log4j_mitigation 

4. Create a temporary folder 'log4j_mitigation' inside flexsnap-idm container and copy original log4j-core jar inside it. 

    # podman exec flexsnap-idm bash -c "mkdir -p /log4j_mitigation; cp -f /opt/VRTScloudpoint/services/identity_manager_service/lib/log4j-core-* /log4j_mitigation" 

5. Copy log4j-core jar from flexsnap-idm container to host machine. 

        # podman cp flexsnap-idm:/log4j_mitigation/. . 

6. Remove JndiLookup class from log4j-core jar. 

      # for i in `find . -name "log4j-core*.jar"`; do echo File name = $i; zip -q -d $i org/apache/logging/log4j/core/lookup/JndiLookup.class; unzip -l $i | grep -i JNDI ; done 

7. Verify that running below command doesn't display "org/apache/logging/log4j/core/lookup/JndiLookup.class" confirming that class has been removed from the log4j-core*.jar. 

        # for i in `find . -name "log4j-core*.jar"`; do echo File name = $i; unzip -l $i | grep -i JNDILookup ; done 

8. Stop the Podman container 

       # podman stop flexsnap-idm 

9. Copy updated jar to flexsnap-idm container. 

        # podman cp . flexsnap-idm:/opt/VRTScloudpoint/services/identity_manager_service/lib/ 

10. Check the version of CloudPoint to use in the next step.  

          # podman ps -a| grep flexsnap-idm 

11.Commit the changes 

         # podman commit flexsnap-idm veritas/flexsnap-idm:<version of CP> 

12. Restart the container 

          # podman restart flexsnap-idm 

Rollback steps: 

  1. Enter into flexsnap-idm container 

          # podman exec -it flexsnap-idm bash 

  1. Copy original file to lib folder and exit from container 

          # cp /log4j_mitigation/log4j-core* /opt/VRTScloudpoint/services/identity_manager_service/lib/ 

     # exit 

  1. Commit the changes from CloudPoint host 

          # podman commit flexsnap-idm veritas/flexsnap-idm:<version of CP> 

  1. Restart the container 

  # podman restart flexsnap-idm 

For CloudPoint version  2.2.2.x
 

On the CloudPoint host execute the following steps to fix

1. Please ensure zip command is available. The commands "which zip" or "zip --version" can help determine the availability of this command. 

2. Please ensure unzip command is available. The commands "which unzip" or "unzip --version" can help determine the availability of this command. 

3. Create a new directory 'log4j_mitigation' and go to that directory. 

    # mkdir log4j_mitigation 

  # cd log4j_mitigation 

4. For flexsnap-identity-manager-service 

  • Create a temporary folder 'log4j_mitigation' inside flexsnap-identity-manager-service container and copy original log4j-core jar inside it. 

        # docker exec flexsnap-identity-manager-service bash -c "mkdir -p /log4j_mitigation; cp -f /opt/VRTScloudpoint/services/identity_manager_service/lib/log4j-core-* /log4j_mitigation" 

  • Copy log4j-core jar from flexsnap-identity-manager-service container to host machine. 

      # docker cp flexsnap-identity-manager-service:/log4j_mitigation/. . 

  • Remove JndiLookup class from log4j-core jar. 

         # for i in `find . -name "log4j-core*.jar"`; do echo File name = $i; zip -q -d $i org/apache/logging/log4j/core/lookup/JndiLookup.class; unzip -l $i | grep -i JNDI ; done 

  • Verify that running below command doesn't display "org/apache/logging/log4j/core/lookup/JndiLookup.class" confirming that class has been removed from the log4j-core*.jar. 

          # for i in `find . -name "log4j-core*.jar"`; do echo File name = $i; unzip -l $i | grep -I JNDILookup ; done 

  • Stop the Docker container 

         # docker stop flexsnap-identity-manager-service 

  • Copy updated jar to flexsnap-identity-manager-service container. 

           # docker cp . flexsnap-identity-manager-service:/opt/VRTScloudpoint/services/identity_manager_service/lib/ 

  • Check the version of CloudPoint to use in the next step.  

          # docker ps -a| grep flexsnap-identity-manager-service 

  • Commit the changes 

          # docker commit flexsnap-identity-manager-service veritas/flexsnap-identity-manager-service:<version of CP> 

  • Restart the container 

           # docker restart flexsnap-identity-manager-service 

5. For flexsnap-authorization-service 

  • Create a temporary folder 'log4j_mitigation' inside flexsnap-authorization-service container and copy original log4j-core jar inside it. 

           # docker exec flexsnap-authorization-service bash -c "mkdir -p /log4j_mitigation; cp -f /opt/VRTScloudpoint/services/authorization_service/lib/log4j-core-* /log4j_mitigation" 

  • Stop the Docker container 

           # docker stop flexsnap-authorization-service 

  • Copy updated jar to flexsnap-authorization-service container. 

           # docker cp . flexsnap-authorization-service:/opt/VRTScloudpoint/services/authorization_service/lib/ 

  • Check the version of CloudPoint to use in the next step.  

           # docker ps -a| grep flexsnap-authorization-service 

  • Commit the changes 

          # docker commit flexsnap-authorization-service veritas/flexsnap-authorization-service:<version of CP> 

  • Restart the container 

         # docker restart flexsnap-authorization-service 

6. For flexsnap-email-service 

  • Create a temporary folder 'log4j_mitigation' inside flexsnap-email-service container and copy original log4j-core jar inside it. 

          # docker exec flexsnap-email-service bash -c "mkdir -p /log4j_mitigation; cp -f /opt/VRTScloudpoint/services/email_service/lib/log4j-core-* /log4j_mitigation" 

  • Stop the Docker container 

          # docker stop flexsnap-email-service 

  • Copy updated jar to flexsnap-email-service container. 

          # docker cp . flexsnap-email-service:/opt/VRTScloudpoint/services/email_service/lib/ 

  • Check the version of CloudPoint to use in the next step.  

      # docker ps -a| grep flexsnap-email-service 

  • Commit the changes 

       # docker commit flexsnap-email-service veritas/flexsnap-email-service:<version of CP> 

  • Restart the container 

           # docker restart flexsnap-email-service 

Rollback steps: 

  1. For flexsnap-identity-manager-service container 

  • Enter into flexsnap-identity-manager-service container 

               # docker exec -it flexsnap-identity-manager-service bash 

  • Copy original file to lib folder and exit from container 

              # cp /log4j_mitigation/log4j-core* /opt/VRTScloudpoint/services/identity_manager_service/lib/ 

       # exit 

  • Commit the changes from CloudPoint host 

               # docker commit flexsnap-identity-manager-service veritas/flexsnap-identity-manager-service:<version of CP> 

  • Restart the container 

               # docker restart flexsnap-identity-manager-service 

  1. For flexsnap-authorization-service container 

  • Enter into flexsnap-authorization-service container 

               # docker exec -it flexsnap-authorization-service bash 

  • Copy original file to lib folder and exit from container 

               # cp /log4j_mitigation/log4j-core* /opt/VRTScloudpoint/services/authorization_service/lib/ 

       # exit 

  • Commit the changes from CloudPoint host 

               # docker commit flexsnap-authorization-service veritas/flexsnap-authorization-service:<version of CP> 

  • Restart the container 

               # docker restart flexsnap-authorization-service 

  1. For flexsnap-authorization-service container 

  • Enter into flexsnap-email-service container 

               # docker exec -it flexsnap-email-service bash 

  • Copy original file to lib folder and exit from container 

              # cp /log4j_mitigation/log4j-core* /opt/VRTScloudpoint/services/email_service/lib/

       # exit 

  • Commit the changes from CloudPoint host 

               # docker commit flexsnap-email-service veritas/flexsnap-email-service:<version of CP> 

  • Restart the container 

               # docker restart flexsnap-email-service 

 

 

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. 

Was this content helpful?