Sign In
Forgot Password

Don’t have an account? Create One.

NetBackup OpsCenter 9.1.0.1 Hotfix - VTS22-005 Security Advisory and Apache Log4J 2.17.1 (Etrack - 4058553)

HotFix Critical

Abstract

OpsCenter 9.1.0.1 VTS22-005 Security Advisory and Apache Log4J 2.17.1

Description

Veritas Bug ID: ET 4058553

 

Version: OpsCenter 9.1.0.1

 

Problem Description: OpsCenter 9.1.0.1 VTS22-005 Security Advisory and Apache Log4J 2.17.1

Read me

Install on: OpsCenter Server, OpsCenter View Builder Client

 

Version 5 README notes:   

1. This Hotfix includes Security fixes for vulnerabilities associated with announcement VTS22-005.
2. There are no incremental updates to log4j 2.17.1 in this version. This version contains fixes related to other escalations but this also contain 
      log4j 2.17.1 upgrade carried from previous versions because this eeb contains all fixes from ver.1 to ver.4 including fixes in ver.5.  
     Also no need to uninstall existing version of this eeb also.
3. Please run cleanAmginuousClients83() multiple times if you see any existing duplicate clients after single run.
    Please follow these related steps in this Tech article https://www.veritas.com/support/en_US/article.100052133
4. Please ignore message of uninstallation of previous version of this eeb. This eeb contains all fixes till date.
5. All OpsCenter services can remain running.

 

Installation Instructions:

 

CVE-2021-44228 FIX, Upgrade Log4j to 2.17.1
===========================================

Windows Steps to update for GUI+Server and ViewBuilder component


This new version of the EEB can be installed directly without performing an Uninstall of the previous versions of the EEB.

NOTE : If any previous version of this EEB (v2, v3 or v4), except v1, EEB 4058553 is already installed, then there is 
no need to perform upgrade steps related to log4j 2.17.1 if upgrade steps has been already done.

NOTE : If version 1 eeb of 4058553 i.e. OpsCenter_windows_AMD64_9101EEB_ET4058553_1.zip is already installed, then
please refer 2.16.0 version of log4j instead of 2.13.3 version of log4j in below steps wherever 2.13.3 has mentioned
for replacement or removal. Version 1 eeb has already removed 2.13.3 version and installed 2.16.0 version of log4j.
So upgrade from version 1 of eeb to version 2 of eeb is upgrade of 2.16.0 version to 2.17.1 version of log4j.

             
Steps to update for GUI+Server and ViewBuilder component

A) Steps for GUI+Server component

 

NOTE : For customers who have deployed EEBs for this version of OpsCenter in the past for resolving 
inconsistencies with Client names in OpsCenter reports, please additionally refer Step-12. Others who have
never installed such EEBs in the past can ignore step-12.

 

1. Take OpsCenter database backup, and additionally take backup of files 

[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin\OpsCenterServerService.xml
[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin\setEnv.bat
[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui\bin\setEnv.bat

2. Install Server component of EEB (-server option of OpsCenterEEBInstaller.bat) 

3. Stop OpsCenter Services

4.  Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, 
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

5. Note that the following are the log4j 2.13.3 file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

6. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin and open OpsCenterServerService.xml and
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

8. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

9. Delete jars having version "2.13.3" mentioned in step (5) from [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib folder

10. After installing eeb and performing these steps, if there are opscenter.war files having extended naming convention similar to 
format opscenter.war.9101EEB_ET4058553_1 under [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui, then unzip it to any location and 
please check for log4j files having version 2.13.3 or 2.16.0 under [UNZIP_LOCATION]\opscenter.war\WEB-INF\lib. If these versions are present, 
then delete these opscenter.war files having extended naming convention similar to format opscenter.war.9101EEB_ET4058553_1.

11. Start OpsCenter Services

12. For customers who have been previously reporting inconsistencies with Client names in OpsCenter reports, it is
strongly recommended to follow these additional steps in this Tech article.
https://www.veritas.com/support/en_US/article.100052133

 

B) OpsCenter ViewBuilder Component

1. Take backup of files 

[OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin\OpsCenterViewBuilder.xml
[OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin\setEnv.bat

2. Install ViewBuilder component of EEB (-jvb option of OpsCenterEEBInstaller.bat) and
close ViewBuilder if it is open.[ Refer below :Using OpsCenter Emergency Engineering Binary (EEB) installer on Windows]

3. Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, 
these are present in [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

4. Note that the following are the log4j 2.13.3 file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

5. Go to folder [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin and open OpsCenterViewBuilder.xml and
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

6. Go to folder [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Delete jars having version "2.13.3" mentioned in step (4) from [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib folder

8. Launch ViewBuilder


Linux Steps for GUI + Server component

 

NOTE : If any previous version of this EEB (v2, v3 or v4), except v1, EEB 4058553 is already installed, then there is 
no need to perform upgrade steps related to log4j 2.17.1 if upgrade steps has been already done.

NOTE : If version 1 eeb of 4058553 i.e. OpsCenter_LinuxR_x86_x86_64_9101EEB_ET4058553_1.tar.gz is already installed, then
please refer 2.16.0 version of log4j instead of 2.13.3 version of log4j in below steps wherever 2.13.3 has mentioned
for replacement or removal. Version 1 eeb has already removed 2.13.3 version and installed 2.16.0 version of log4j.
So upgrade from version 1 of eeb to version 2 of eeb is upgrade of 2.16.0 version to 2.17.1 version of log4j.

 

Steps for GUI+Server component

NOTE : For customers who have deployed EEBs for this version of OpsCenter in the past for resolving 
inconsistencies with Client names in OpsCenter reports, please additionally refer Step-11. Others who have
never installed such EEBs in the past can ignore step-11.

 

1. Take OpsCenter database backup, and additionally take backup of following files 

[OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/bin/setEnv.sh 
[OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI/bin/setEnv.sh 

2. Install Server component of EEB (-server option of OpsCenterEEBInstaller.sh)

3. Stop OpsCenter Services

4. Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, 
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

5. Note that the following are the log4j file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

6. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/bin and open setEnv.sh and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that OpsCenter is able to point to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar 
and similarly for all other log4j jars.

7. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI/bin/ and open setEnv.sh and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that OpsCenter is able to point to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar 
and similarly for all other log4j jars.

8. Delete the jar files having version "2.13.3" mentioned in step (5) from [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib folder

9. After installing eeb and performing these steps, if there are opscenter.war files having extended naming convention similar to 
format opscenter.war.9101EEB_ET4058553_1 under [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI, then unzip it to any location and 
please check for log4j files having version 2.13.3 or 2.16.0 under [UNZIP_LOCATION]/opscenter.war/WEB-INF/lib. If these versions are present, 
then delete these opscenter.war files having extended naming convention similar to format opscenter.war.9101EEB_ET4058553_1.

10. Start OpsCenter Services

11. For customers who have been previously reporting inconsistencies with Client names in OpsCenter reports, it is
strongly recommended to follow these additional steps in this Tech article.
https://www.veritas.com/support/en_US/article.100052133

 

Using OpsCenter Emergency Engineering Binary (EEB) installer on Windows

1) Download the appropriate EEB package into into the C:\tmp directory.                        
2) Extract the EEB package.
3) As admin user on the Opscenter server/agent, install the EEB as follows.
    OpsCenterEEBInstaller.bat [-server | -agent | -jvb ] base-directory
   
     OpsCenterEEBInstaller.bat -server base_directory_of_server_installation_in_quotes
       e.g OpsCenterEEBInstaller.bat -server "C:\Program Files\Symantec"
   
     OpsCenterEEBInstaller.bat -agent base_directory_of_agent_installation_in_quotes
      e.g OpsCenterEEBInstaller.bat -agent "C:\Program Files\Symantec"
       
     OpsCenterEEBInstaller.bat -jvb base_directory_of_viewbuilder_installation_in_quotes
      e.g: OpsCenterEEBInstaller.bat -jvb "C:\Program Files\Symantec" 


Using OpsCenter Emergency Engineering Binary (EEB) installer on Linux

1) Download the appropriate EEB package into into the cd /tmp/OpsCenterEEBInstaller/unix                        
2) Extract the EEB package.
3) As root on the Opscenter server/agent, install the EEB package binaries as follows.
   cd /tmp/OpsCenterEEBInstaller/unix
   /bin/sh ./OpsCenterEEBInstaller.sh [-server | -agent] base-directory
   
   /bin/sh ./OpsCenterEEBInstaller.sh -server base_directory_of_server_installation
    e.g /bin/sh ./OpsCenterEEBInstaller.sh -server /opt
    
   /bin/sh ./OpsCenterEEBInstaller.sh -agent base_directory_of_agent_installation
    e.g /bin/sh ./OpsCenterEEBInstaller.sh -agent /opt
         

To Uninstall EEB on Windows:
1) As admin user on the Opscenter server/agent, uninstall the  EEB as follows.
      cd to the folder where the EEB package was extracted. 
         OpsCenterEEBInstaller.bat [-rollbackserver | -rollbackagent | -rollbackviewbuilder] base-directory
      
                       OpsCenterEEBInstaller.bat  -rollbackserver base_directory_of_server_installation_in_quotes
                e.g. OpsCenterEEBInstaller.bat -rollbackserver "C:\Program Files\Symantec"
      
                        OpsCenterEEBInstaller.bat -rollbackagent base_directory_of_agent_installation_in_quotes
                  e.g. OpsCenterEEBInstaller.bat -rollbackagent "C:\Program Files\Symantec"
       
                           OpsCenterEEBInstaller.bat -rollbackviewbuilder base_directory_of_agent_installation_in_quotes
                    e.g. OpsCenterEEBInstaller.bat -rollbackviewbuilder "C:\Program Files\Symantec"

[Note : An EEB pack can only rollback itself]

 

To Uninstall EEB on Linux:
1) As a root user on the Opscenter server/agent, uninstall the 
   EEB package binaries as follows.

   cd /tmp/OpsCenterEEBInstaller/unix
   /bin/sh ./OpsCenterEEBInstaller.sh [-rollbackserver | -rollbackagent] base_directory
   
                     /bin/sh ./OpsCenterEEBInstaller.sh -rollbackserver base_directory_of_server_installation
             e.g.  /bin/sh ./OpsCenterEEBInstaller.sh -rollbackserver /opt
   
                      /bin/sh ./OpsCenterEEBInstaller.sh  -rollbackagent base_directory_of_agent_installation
           e.g.  /bin/sh ./OpsCenterEEBInstaller.sh -rollbackagent /opt

[Note : An EEB pack can only rollback itself]  


Downloads:
NB_9.1.0.1_ET4058553_5.zip
NB_9_1_0_1_ET4058553_5_README.pdf

VTS22-005-Description.pdf

 

Checksums for all files (cksum):

File                                                                                                                    Checksum    Byte count

all/OpsCenter_LinuxR_x86_x86_64_9101EEB_ET4058553_5.tar.gz    3710010021    105953414
all/OpsCenter_LinuxS_x86_x86_64_9101EEB_ET4058553_5.tar.gz    660431163    105953422
all/OpsCenter_windows_AMD64_9101EEB_ET4058553_5.zip            1085492774    116055699

Update files

File name Description Version Platform Size

Applies to the following product releases

Knowledge base

71
2022-05-13

About Apache Log4j Vulnerabilities Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. Veritas is tracking the recently announced vulnerabilities in Apache’s Log4j. All Veritas Pro...

6
2022-03-29

CVE-2021-44228 Apache Log4j Vulnerability mitigation steps for OpsCenter The CVE-2021-44228 Apache Log4j Vulnerability impacts OpsCenter. The following mitigation steps are applicable to all versions of NetBackup OpsCenter from 8.1.2 through 9.1....

1
2022-01-17

Problem OpsCenter Reports that were created with the "Run SQL Query" option cannot be edited in OpsCenter 9.1.0.1. When the "Edit Report" button is clicked, nothing happens. Error Message No error is displayed. When the Edit Report button is clic...