Avis de traduction
Veuillez noter que ce contenu inclut du texte qui a été traduit automatiquement depuis l'anglais. Veritas ne garantit pas l'exhaustivité de la traduction. Vous pouvez également consulter la Version anglaise de cet article de la base de connaissances pour plus d'informations à jour.
Veritas InfoScale Operations Manager log4j2 2.17.1 version upgrade
Résumé
Description
This hotfix is to fix log4j2 vulnerabilities on VIOM Management Servers and Managed Hosts having below mentioned versions.
- VIOM Management Servers (Linux and Windows) (versions - 7.4, 7.4.2, 8.0)
- VIOM Managed Hosts/Agents (Windows) (versions - 7.0 and higher)
Vulnerabilities fixed - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832, CVE-2019-17571
README VERSION : 1.0
README CREATION DATE : 2022-01-06
HOTFIX-ID : VIOM_log4j2_vulnerability_hotfix_2.zip
HOTFIX NAME : Veritas InfoScale Operations Manager log4j2 2.17.1 version upgrade
SUPPORTED PADV : Linux, Windows
CRITICALITY : REQUIRED
HAS KERNEL COMPONENT : NO
REQUIRE APPLICATION DOWNTIME : YES
HOTFIX INSTALLATION INSTRUCTIONS:
--------------------------------
IMPORTANT NOTE :
This hotfix is to fix log4j2 vulnerabilities on VIOM Management Servers and Managed Hosts having below mentioned versions.
- VIOM Management Servers (Linux and Windows) (versions - 7.4, 7.4.2, 8.0)
- VIOM Managed Hosts/Agents (Windows) (versions - 7.0 and higher)
Vulnerabilities fixed - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832, CVE-2019-17571
In case if you have lower versions of VIOM Management Server and Managed Hosts/Agents, please upgrade to latest applicable higher version before applying the hotifx.
You may check the latest patch available for VIOM at URL below
https://www.veritas.com/content/support/en_US/downloads
log4j2 hotfix re-installation is required if you upgrade VIOM Management Server/Managed Hosts post hotfix installation.
WHEN TO APPLY THIS HOTFIX :
This hotfix is mandatory for all applicable VIOM Management Servers and Managed Hosts/Agents to fix the log4j2 vulnerabilities mentioned above. This hotfix upgrades log4j component to version 2.17.1 on VIOM Management Servers and removes log4j jars from Windows Managed Hosts. Removal of log4j jars from Managed Hosts/Agents does not impact any VIOM functionality for versions 7.0 and higher.
STEPS TO APPLY HOTFIX :
NOTE - For VIOM Management HA-DR servers, ensure the hotfix is installed on all active and inactive nodes of the cluster.
Linux Management Server (ver 7.4, 7.4.2, 8.0)
1. Download the file VIOM_log4j2_vulnerability_hotfix_2.zip on VIOM management server.
2. Unzip the file.
3. cd to the dir "VIOM_log4j2_vulnerability_hotfix_2"
4. Run command /opt/VRTSsfmh/bin/perl VIOM_log4j2_vulnerability_hotfix.pl
Windows Management Server (ver 7.4, 7.4.2, 8.0)
1. Download the file VIOM_log4j2_vulnerability_hotfix_2.zip on VIOM management server.
2. Unzip the file.
3. Open the command prompt and navigate to the dir "VIOM_log4j2_vulnerability_hotfix_2"
4. Run command "C:\Program Files\Veritas\VRTSsfmh\bin\perl.exe" VIOM_log4j2_vulnerability_hotfix.pl
Windows Managed Hosts/Agents
1. Download the file VIOM_log4j2_vulnerability_hotfix_2.zip on VIOM Windows Managed Host/Agent.
2. Unzip the file.
3. Open the command prompt and navigate to the dir "VIOM_log4j2_vulnerability_hotfix_2"
4. Run command "C:\Program Files\Veritas\VRTSsfmh\bin\perl.exe" VIOM_log4j2_vulnerability_hotfix.pl
HOTFIX VERIFICATION STEPS :
Linux Management Server
Verify "cksum" of below files -
1)
cksum /opt/VRTSsfmcs/webgui/tomcat/lib/log4j.jar
1633764867 208005 /opt/VRTSsfmcs/webgui/tomcat/lib/log4j.jar
2)
cksum /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-api.jar
3934950123 301873 /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-api.jar
3)
cksum /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-core.jar
1147346345 1790452 /opt/VRTSsfmcs/webgui/tomcat/lib/log4j-core.jar
4) Only on VIOM CMS versions 7.4.2 and 8.0
cksum /opt/VRTSsfmcs/webgui/vom/WEB-INF/lib/cmsCollector.jar
2592271895 5682520 /opt/VRTSsfmcs/webgui/vom/WEB-INF/lib/cmsCollector.jar
Windows Management Server
Verify MD5 hash of below files using command prompt.
1)
C:\>certutil -hashfile "C:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\lib\log4j.jar" MD5
MD5 hash of c:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\lib\log4j.jar:
937a348ff730ec6ed54ef28576808ad3
2)
C:\>certutil -hashfile "c:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\lib\log4j-api.jar" MD5
MD5 hash of c:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\lib\log4j-api.jar:
7aae1e012aef802cbc2077f5267ac002
3)
C:\>certutil -hashfile "c:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\lib\log4j-core.jar" MD5
MD5 hash of c:\Program Files\Veritas\VRTSsfmcs\webgui\tomcat\lib\log4j-core.jar:
e9a107027346d3bbe9cbe61c5de692f0
4) Only on VIOM CMS versions 7.4.2 and 8.0
C:\>certutil -hashfile "C:\Program Files\Veritas\VRTSsfmcs\webgui\vom\WEB-INF\lib\cmsCollector.jar" MD5
MD5 hash of C:\Program Files\Veritas\VRTSsfmcs\webgui\vom\WEB-INF\lib\cmsCollector.jar:
8fdb2490f438a13095a725838719219a
Windows Managed Hosts/Agents
Verify that <System-Drive>:\Program Files\Veritas\VRTSsfmh\lib\jars directory has been removed from the host.
After the files verification, please verify that all VIOM services are started and you can login to VIOM GUI.
HOTFIX UNINSTALLATION INSTRUCTIONS:
----------------------------------
NONE
S'applique aux versions de produit suivantes
Mettre à jour les fichiers
|
|
Nom du fichier | Description | Version | Plate-forme | Taille |
|---|
Knowledge base
Apache Log4j 2.0 Vulnerability (CVE-2021-44832) reported for Veritas InfoScale
2024-08-27Problem For Veritas Infoscale on a Windows platform, a vulnerability for Apache Log4j 2.0 has been reported. Error Message There are no error messages. The vulnerability scanner flags the Path: C:\Program Files\Veritas\VRTSsfmh\lib\jars\vmf\ for ...