Impact of Apache Log4j and polkit Vulnerabilities on NetBackup Flex Appliance

Impact of Apache Log4j and polkit Vulnerabilities on NetBackup Flex Appliance

Article: 100052106
Last Published: 2022-02-25
Ratings: 1 0
Product(s): Appliances

IMPORTANT NOTES

Vulnerability scanners may still report the Log4j vulnerabilities even after applying the provided hot fixes or mitigation steps. This is expected as most scanners are not designed to account for the mitigations.

VULNERABILITIES

CVE-2021-44228

Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. Fixed in Log4j 2.15.0. Apache recommends upgrading to Log4j 2.15.0 or applying recommended mitigations immediately.

CVE-2021-45046

Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations. Fixed in Log4j 2.16.0. Apache recommends upgrading to Log4j 2.16.0 or applying recommended mitigations immediately. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

CVE-2021-45105

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.  Fixed in Log 4j 2.17.0. Apache recommends upgrading to Log4j 2.17.0. NetBackup Flex Appliances are not impacted by this vulnerability.

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.  Fixed in Log 4j 2. Apache recommends upgrading to Log4j 2. NetBackup Flex Appliances are not exploitable by this vulnerability.

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.  Fixed in Log 4j 2.17.1. Apache recommends upgrading to Log4j 2.17.1. NetBackup Flex Appliances are not exploitable by this vulnerability.

CVE-2021-4034
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

 

For CVE-2021-44228 and CVE-2021-45046, Veritas is providing the following:

  • NetBackup Flex Appliance Mitigation Hot Fix that removes the JNDI Lookup class in Appliance-specific component
    • 1.3.1 Hot Fix
  • NetBackup Flex Appliance Remediation Hot Fixes that update Log4j version to 2.17.1
    • 2.1 Hot Fix 
    • 2.0.2 Hot Fix 
  • NetBackup Remediation Hot Fixes that update Log4j to 2.16.0 (NetBackup 8.1.2) or 2.17.1 (NetBackup 8.2 or higher)

For CVE-2021-4034, Veritas is providing the following:

  • NetBackup Flex Appliance Remediation Hot Fixes that update polkit to version 0.112-26

Veritas is providing a single Remediation Hot Fix for both the Log4j and Polkit vulnerabilities.

Every NetBackup Flex Appliance will require two Hot Fixes (NetBackup Hot Fix and NetBackup Flex Appliance Hot Fix) which can be installed in any order.

 

Required NetBackup Flex Appliance Hot Fix

NetBackup Flex Appliance
version

NetBackup Flex Appliance
Mitigation Hot Fix

NetBackup Flex Appliance 
Remediation Hot Fix

2.1

 

Download here

2.0.2 

 

Download here

If running 2.0/2.0.1, first update to 2.0.2

and then apply hot fix

1.3.1

Download here

If running 1.3, first update to 1.3.1 

and then apply hot fix

 
  • If a node in the cluster is factor-reset or re-imaged, the version specific NetBackup Flex Appliance hot fix must be applied to that node, immediately after such node is added back into the cluster and updated to the cluster version.
  • If a NetBackup Flex Appliance is upgraded to any of the versions mentioned in the table above, the version specific hot fix must be applied to all nodes in the cluster after upgrade-commit.

 

Required NetBackup Hot Fix

NetBackup Primary server version  

NetBackup Hot Fix

9.1.0.1

   Download here

If running 9.1, first update to 9.1.0.1 and then apply hot fix

9.0.0.1

Download here

If running 9.0, first update to 9.0.0.1 and then apply hot fix

8.3.0.2

Download here

If running 8.3, first update to 8.3.0.2 and then apply hot fix

8.3.0.1

Download here

If running 8.3, first update to 8.3.0.1 and then apply hot fix

8.2

Download here

8.1.2

Download here

If running 8.1/8.1.1, first update to 8.1.2 and then apply hot fix

 

Installation/Mitigation steps for NetBackup Flex Appliance Hot Fix

autosupport-client service on Flex platform version 2.x and autosupport_container service on Flex platform version 1.3.x helps monitor hardware health. Veritas has taken the approach to remove the JNDI Lookup class from the autosupport component to mitigate the risk for CVE-2021-44228, CVE-2021-45046.  Follow the steps mentioned below as mitigation steps.

1.     Login to Flex Appliance Console

2.     On the Flex Appliance Console, click the Repository icon in the left-side navigation bar and navigate to the Appliance upgrades and updates tab. The tab displays the package that is currently in the repository

3.     The Flex Appliance repository can only hold one appliance upgrade / update package at a time. Click Remove package to remove the current package

4.     From a computer within your appliance domain, download the appropriate Hot Fix based on your NetBackup Flex Appliance version

5.     From the same computer, sign into the Flex Appliance Console and click the Repository icon in the left-side navigation bar to open the Repository page.

6.     On the Repository page, navigate to the Appliance upgrades and updates tab

7.     Click Add Package

8.     In the dialog box that appears, do the following:

9.     At the top of the dialog box, click on the drop-down and navigate to the location where you downloaded the file from Veritas.

10.  Select the downloaded file from the list of items that appears, then click Open.

11.  Return to the Appliance upgrades and updates tab on the Repository page. Select the node that you want to update and click Update.

12. Monitor the progress in the Activity Monitor and confirm the update job completed successfully.

13.  If you have a multi-node appliance, wait for the update process to complete on the selected node, then repeat this procedure on the other node.

 

Installation/Mitigation steps for NetBackup Hot Fix

Veritas has taken the approach to update log4j jar file in NetBackup primary/master server application instances to mitigate the risk of CVE-2021-44228, CVE-2021-45046.  Follow the steps mentioned below as mitigation steps

1.     From a computer within your appliance domain, download the appropriate hot fix based on NetBackup primary server version

2.     Sign in to the Flex Appliance Console and click the Repository icon in the left-side navigation bar.

3.     Go to Application add-ons tab

4.     The tab displays the add-ons that are in the repository and details about each, such as type, version, and the application they can be installed on.

5.     Click Add Package

6.     In the dialog box that appears, do the following:

7.     At the top of the dialog box, click on the drop-down and navigate to the location where you downloaded the file from Veritas.

8.     Select the downloaded file from the list of items that appears, then click Open.

9.     You are redirected to the Activity Monitor to view the progress. When the task is complete, return to the Repository page to see the new file at the top of the list

10.  When the task is complete, the new file should appear in add-ons tab on the page.

11.  From the System topology page of the Flex Appliance Console, navigate to the Application instances section

12.  Locate the instance on which you want to install the add-ons. If it is running, select it and click Stop. You can also wait to stop the instance until the Flex Appliance Console prompts you to if you prefer.

13.  Select the instance, then click Manage > Install and order add-ons. Alternatively, click on the instance name, navigate to the Add-ons tab, and click Install and order.

14.  Select the appropriate add-on (added for mitigating log4j vulnerability) from the repository list that appears. When you are done, click Next.

15.  Click Install and observe message displayed in message ribbon on the page.

16.    Restart the application instance to complete the installation of add-on

17.     If you had applied manual workaround documented in technote https://www.veritas.com/content/support/en_US/article.100052084 , follow the steps in section “Steps to rollback vulnerability mitigation procedure” to remove it.

NOTE

  • NetBackup Flex appliance support multiple instances of same or different versions of the NetBackup primary/master server instances to be deployed in one appliance.  The version specific hot fix from the table above must be applied separately on each instance of the NetBackup primary server application.
  • In the event the NetBackup primary server application instance is upgraded to any of the versions mentioned in the table above, the version specific hot fix from the table above must be applied to the upgraded instance.
  • NetBackup Media server, Media server with Cloud Catalyst or WORM storage instances are not impacted.
  • NetBackup Media server version 8.1.2 and 8.2 as well as MSDP cloud catalyst version 8.3.x package log4j versions less than 2.16.0. However, log4j is not used in Media Server and MSDP cloud catalyst NetBackup roles version 8.1.2 and 8.2 on NetBackup Flex appliance. Hence they are not vulnerable.

Disclaimer 

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.  

 

Was this content helpful?