Sign In
Forgot Password

Don’t have an account? Create One.

Impact of CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

HotFix

Abstract

Impact of CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

Description

This fix has the mitigation steps for the CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0
Problem

Impact of CVE-2021-44228  and CVE 2021-45105 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

The product is not impacted by CVE 2021-45105.

Mitigation steps for CVE-2021-44228


Steps for Resiliency Manager and Infrastructure Manager Server to extract the files

1. Download the zip file VRP-Log4j-patch-jar-replace.tar.gz.zip from download center and extract the tar file VRP-Log4j-patch-jar-replace.tar.gz

2. Perform the following steps to upload the tar bundle file to appliance

   Open the SFTP session from clish
   utilities> sftp-session start put patch
   Provide the password for this temporary SFTP session
   Open SFTP session using the above created user information and upload the tar bundle

3. Stop the SFTP session after uploading the tar bundle file

   utilities> sftp-session stop

4. Login to the appliance using the admin user and go to the support shell using a support login. Contact veritas support if you do not have access to the support shell 

5. Create a temporary directory to extract the tar bundle file

   # mkdir /tmp/log4j_patch

6. Create a directory to backup

   # mkdir /var/opt/log4j_backup

7. Copy the uploaded file on the directory /tmp/log4j_patch

   # cp /var/opt/VRTSitrp/patches/VRP-Log4j-patch-jar-replace.tar.gz /tmp/log4j_patch

8. Move to dir /tmp/log4j_patch  

   # cd /tmp/log4j_patch

9. Extract the tar bundle file

   # tar -xvf VRP-Log4j-patch-jar-replace.tar.gz


Steps to apply fix for Resiliency Manager
1. Stop the RM services 

   # /opt/VRTSitrp/bin/itrpadm service --stop all

   # /opt/VRTSitrp/bin/itrpadm service --status all

2. The tar bundle file has jar files and a perl script. Run the perl script to apply the fix

   # cd /tmp/log4j_patch/log4j_latest

   # ./patch_log4j_jars.pl /tmp/log4j_patch/log4j_latest /var/opt/log4j_backup

3. Start the RM service 

   # /opt/VRTSitrp/bin/itrpadm service --start all

   # /opt/VRTSitrp/bin/itrpadm service --status all

Steps to apply fix for Infrastructure Manager Server
1. Stop the IMS services 
 
   # /opt/VRTSsfmcs/bin/vomsc --stop ALL
 
   # /opt/VRTSsfmcs/bin/vomsc --status ALL

2. The tar bundle file has jar files and a perl script. Run the perl script to apply the fix

   # cd /tmp/log4j_patch/log4j_latest

   # ./patch_log4j_jars.pl /tmp/log4j_patch/log4j_latest /var/opt/log4j_backup

3. Start the IMS service 

   # /opt/VRTSsfmcs/bin/vomsc --start ALL

   # /opt/VRTSsfmcs/bin/vomsc --status ALL

 

If user faces any issue while deploying this fix or if appliance services are not coming up post installation of the fix then contact Veritas support.

Applies to the following product releases

Update files

File name Description Version Platform Size

Knowledge base

71
2022-12-05

About Apache Log4j Vulnerabilities Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. Veritas is tracking the recently announced vulnerabilities in Apache’s Log4j. All Veritas Pro...