Sign In
Forgot Password

Don’t have an account? Create One.

NetBackup OpsCenter 9.0.0.1 Hotfix - VTS22-009 Security Advisory and Apache Log4J 2.17.1 (Etrack - 4058555)

HotFix Critical

Abstract

OpsCenter 9.0.0.1 VTS22-009 Security Advisory and Apache Log4J 2.17.1

Description

Veritas Bug ID: ET 4058555

 

Version: OpsCenter 9.0.0.1

 

Problem Description: OpsCenter 9.0.0.1 VTS22-009 Security Advisory and Apache Log4J 2.17.1

Read me

Install on: OpsCenter Server, OpsCenter View Builder Client

 

Version 4 ReadMe Notes:

1. This Hotfix includes Security fixes for vulnerabilities associated with announcement VTS22-009.
2. There are no incremental updates to log4j 2.17.1 in this version. This version contains fixes related to other escalations but this also contain log4j 2.17.1 upgrade carried  from previous versions because this EEB contains all fixes from version 1 to version 3 including fixes in version 4.   Also no need to uninstall existing version of this EEB .
3. Also please run cleanAmginuousClients83() multiple times if you see any existing duplicate clients after single run.
     Please follow these related steps in this Tech article https://www.veritas.com/support/en_US/article.100052133
4. Please ignore message of uninstallation of previous version of this EEB. This EEB contains all fixes till date.
5. All OpsCenter services can remain running. 

 

VTS22-009 Advisory Link
https://www.veritas.com/content/support/en_US/security/VTS22-009

 

Installation Instructions:

 

Steps to update GUI+Server and ViewBuilder Component :

 

Upgrade Log4j to 2.17.1
           

Windows Steps for GUI + Server component

 

This new version of the EEB can be installed directly without performing an Uninstall of the previous versions of the EEB.

NOTE : If the previous version of the EEB, i,.e 4058555 v2 or v3  is already installed, then there is no need to perform upgrade steps related to log4j 2.17.1 if upgrade steps has been already done.

NOTE : If version 1 eeb of 4058555 i.e. OpsCenter_windows_AMD64_9001EEB_ET4058555_1.zip is already installed, then please refer 2.16.0 version of log4j instead of 2.13.3 version of log4j in below steps wherever 2.13.3 has mentioned for replacement or removal. Version 1 eeb has already removed 2.13.3 version and installed 2.16.0 version of log4j. So upgrade from version 1 of eeb to version 2 of eeb is upgrade of 2.16.0 version to 2.17.1 version of log4j.


Steps to update for GUI+Server and ViewBuilder component

 

NOTE : For customers who have deployed EEBs for this version of OpsCenter in the past for resolving inconsistencies with Client names in OpsCenter reports, please additionally refer Step-12. Others who have never installed such EEBs in the past can ignore step-12.

 

1. Take OpsCenter database backup, and additionally take backup of files 

[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin\OpsCenterServerService.xml
[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin\setEnv.bat
[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui\bin\setEnv.bat

2. Install Server component of EEB (-server option of OpsCenterEEBInstaller.bat) 

3. Stop OpsCenter Services

4.  Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, these are present in  [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

5. Note that the following are the log4j 2.13.3 file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

6. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin and open OpsCenterServerService.xml and
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

8. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

9. Delete jars having version "2.13.3" mentioned in step (5) from [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib folder

10. After installing eeb and performing these steps, if there are opscenter.war files having extended naming convention similar to 
format opscenter.war.9001EEB_ET4058555_1 under [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui, then unzip it to any location and 
please check for log4j files having version 2.13.3 or 2.16.0 under [UNZIP_LOCATION]\opscenter.war\WEB-INF\lib. If these versions are present 
then delete these opscenter.war files having extended naming convention similar to format opscenter.war.9001EEB_ET4058555_1.

11. Start OpsCenter Services

12. For customers who have been previously reporting inconsistencies with Client names in OpsCenter reports, it is
strongly recommended to follow these additional steps in this Tech article.
https://www.veritas.com/support/en_US/article.100052133

 

Windows OpsCenter ViewBuilder Component

1. Take backup of files 

[OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin\OpsCenterViewBuilder.xml
[OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin\setEnv.bat

2. Install ViewBuilder component of EEB (-jvb option of OpsCenterEEBInstaller.bat) and close ViewBuilder if it is open.

3.  Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, these are present in [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

4. Note that the following are the log4j 2.13.3 file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

5. Go to folder [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin and open OpsCenterViewBuilder.xml and
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

6. Go to folder [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Delete jars having version "2.13.3" mentioned in step (4) from [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib folder

8. Launch ViewBuilder


Linux Steps for GUI + Server component

This new version of the EEB can be installed directly without performing an Uninstall of the previous versions of the EEB.

 

NOTE : If the previous version of the EEB, i.e.4058555 v2 or v3 is already installed, then there is no need to perform upgrade steps
related to log4j 2.17.1 if upgrade steps has been already done.

 

NOTE : If version 1 eeb of 4058555 i.e. OpsCenter_LinuxR_x86_x86_64_9001EEB_ET4058555_1.tar.gz is already installed, then
please refer 2.16.0 version of log4j instead of 2.13.3 version of log4j in below steps wherever 2.13.3 has mentioned
for replacement or removal. Version 1 eeb has already removed 2.13.3 version and installed 2.16.0 version of log4j.
So upgrade from version 1 of eeb to version 2 of eeb is upgrade of 2.16.0 version to 2.17.1 version of log4j.

 

Steps to update for GUI + Server component

 

NOTE : For customers who have deployed EEBs for this version of OpsCenter in the past for resolving inconsistencies with Client names in OpsCenter reports, please additionally refer Step-11. Others who have never installed such EEBs in the past can ignore step-11.


1. Take OpsCenter database backup, and additionally take backup of following files 

[OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/bin/setEnv.sh 
[OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI/bin/setEnv.sh 

2. Install Server component of EEB (-server option of OpsCenterEEBInstaller.sh)

3. Stop OpsCenter Services

4. Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, 
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

5. Note that the following are the log4j file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

6. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/bin and open setEnv.sh and search for "2.13.3" and replace with "2.17.1". You should see 4 such entries. This step will ensure that OpsCenter is able to point to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI/bin/ and open setEnv.sh and search for "2.13.3" and replace with "2.17.1". You should see 4 such entries. This step will ensure that OpsCenter is able to point to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

8. Delete the jar files having version "2.13.3" mentioned in step (5) from [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib folder

9. After installing eeb and performing these steps, if there are opscenter.war files having extended naming convention similar to 
format opscenter.war.9001EEB_ET4058555_1 under [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI, then unzip it to any location and 
please check for log4j files having version 2.13.3 or 2.16.0 under [UNZIP_LOCATION]/opscenter.war/WEB-INF/lib. If these versions are present, 
then delete these opscenter.war files having extended naming convention similar to format opscenter.war.9001EEB_ET4058555_1.

10. Start OpsCenter Services

11. For customers who have been previously reporting inconsistencies with Client names in OpsCenter reports, it is
strongly recommended to follow these additional steps in this Tech article.
https://www.veritas.com/support/en_US/article.100052133


Using OpsCenter Emergency Engineering Binary (EEB) installer on Windows:
1) Download the appropriate EEB package into into the C:\tmp directory.                        
2) Extract the EEB package.
3) As admin user on the Opscenter server/agent, install the EEB as follows.
    OpsCenterEEBInstaller.bat [-server | -agent | -jvb ] base-directory
   
     OpsCenterEEBInstaller.bat -server base_directory_of_server_installation_in_quotes
       e.g. OpsCenterEEBInstaller.bat -server "C:\Program Files\Symantec"
   
     OpsCenterEEBInstaller.bat -agent base_directory_of_agent_installation_in_quotes
      e.g. OpsCenterEEBInstaller.bat -agent "C:\Program Files\Symantec"
       
     OpsCenterEEBInstaller.bat -jvb base_directory_of_viewbuilder_installation_in_quotes
      e.g. OpsCenterEEBInstaller.bat -jvb "C:\Program Files\Symantec" 

 

Using OpsCenter Emergency Engineering Binary (EEB) installer on Windows:
1) Download the appropriate EEB package into into the cd /tmp/OpsCenterEEBInstaller/unix                        
2) Extract the EEB package.
3) As root on the Opscenter server/agent, install the EEB package binaries as follows.
   cd /tmp/OpsCenterEEBInstaller/unix
   /bin/sh ./OpsCenterEEBInstaller.sh [-server | -agent] base-directory
   
   /bin/sh ./OpsCenterEEBInstaller.sh -server base_directory_of_server_installation
   e.g. /bin/sh ./OpsCenterEEBInstaller.sh -server /opt
    
   /bin/sh ./OpsCenterEEBInstaller.sh -agent base_directory_of_agent_installation
   e.g: /bin/sh ./OpsCenterEEBInstaller.sh -agent /opt


To Uninstall EEB on Windows:
1) As admin user on the Opscenter server/agent, uninstall the 
   EEB as follows.
   
   cd to the folder where the EEB package was extracted. 
   OpsCenterEEBInstaller.bat [-rollbackserver | -rollbackagent | -rollbackviewbuilder] base-directory
      
    OpsCenterEEBInstaller.bat  -rollbackserver base_directory_of_server_installation_in_quotes
    e.g. OpsCenterEEBInstaller.bat -rollbackserver "C:\Program Files\Symantec"
      
    OpsCenterEEBInstaller.bat -rollbackagent base_directory_of_agent_installation_in_quotes
    e.g. OpsCenterEEBInstaller.bat -rollbackagent "C:\Program Files\Symantec"
       
   OpsCenterEEBInstaller.bat -rollbackviewbuilder base_directory_of_agent_installation_in_quotes
   e.g. OpsCenterEEBInstaller.bat -rollbackviewbuilder "C:\Program Files\Symantec"

[Note : An EEB pack can only rollback itself]

 

To Uninstall EEB on Linux:
1) As a root user on the Opscenter server/agent, uninstall the 
   EEB package binaries as follows.

   cd /tmp/OpsCenterEEBInstaller/unix
      /bin/sh ./OpsCenterEEBInstaller.sh [-rollbackserver | -rollbackagent] base_directory
   
    /bin/sh ./OpsCenterEEBInstaller.sh -rollbackserver base_directory_of_server_installation
       e.g. /bin/sh ./OpsCenterEEBInstaller.sh -rollbackserver /opt
   
       /bin/sh ./OpsCenterEEBInstaller.sh  -rollbackagent base_directory_of_agent_installation
          e.g. /bin/sh ./OpsCenterEEBInstaller.sh -rollbackagent /opt

[Note : An EEB pack can only rollback itself]  

 

Downloads:

NB_9.0.0.1_ET4058555_4.zip
NB_9_0_0_1_ET4058555_4_README.pdf
 

Checksums for all files (cksum):
File                                                                                                                      Checksum         Byte count

all/OpsCenter_LinuxR_x86_x86_64_9001EEB_ET4058555_4.tar.gz       3324387816    108370389
all/OpsCenter_LinuxS_x86_x86_64_9001EEB_ET4058555_4.tar.gz       712697335       108370425
all/OpsCenter_windows_AMD64_9001EEB_ET4058555_4.zip                2378894157     118595570

Update files

File name Description Version Platform Size

Applies to the following product releases

Knowledge base

71
2022-05-13

About Apache Log4j Vulnerabilities Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. Veritas is tracking the recently announced vulnerabilities in Apache’s Log4j. All Veritas Pro...

6
2022-03-29

CVE-2021-44228 Apache Log4j Vulnerability mitigation steps for OpsCenter The CVE-2021-44228 Apache Log4j Vulnerability impacts OpsCenter. The following mitigation steps are applicable to all versions of NetBackup OpsCenter from 8.1.2 through 9.1....