Impact of CVE-2021-44228 Apache Log4j Vulnerability on NetBackup Resiliency/Veritas Resiliency Platform
Issue
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Versions
Veritas is aware of this recently announced zero-day vulnerability and both Product Security and Development teams are actively reviewing our software to determine if the vulnerability exists in any of our products.
If we determine a particular product is impacted by the issue, Veritas will provide temporary mitigation guidance while we work to quickly provide a patch to permanently address the issue. This is an urgent issue, and we are working aggressively to help keep our customers secure. We will provide updates and guidance as soon as possible.
Mitigation Steps for NetBackup Resiliency/Veritas Resiliency Platform v3.4 - 4.0
Steps to be performed for Resiliency Manager (RM)
1) Stop all services on RM
# /opt/VRTSitrp/bin/itrpadm service --stop ALL
2) Take backup of following files which will need to be updated
# mkdir -p /var/opt/log4j_bkp
#cp /opt/VRTSitrputils/lib/modules/VRTS/ITRP/ItrpAdm/Cmdlet/service.pm /var/opt/log4j_bkp/
#cp /opt/VRTSitrpapisvc/lib/modules/VRTS/ITRPAPISVC/ApiServiceConfig.pm /var/opt/log4j_bkp/
#cp /opt/VRTSitrpcs/lib/modules/VRTS/ITRPCS/CoreWebConfig.pm /var/opt/log4j_bkp/
#cp /opt/VRTSitrpui/lib/modules/VRTS/ITRPUI/UIConfig.pm /var/opt/log4j_bkp/
#cp /opt/VRTSitrptpc/tomcat/bin/catalina.sh /var/opt/log4j_bkp/
#cp /opt/VRTSitrpsec/lib/modules/VRTS/ITRPSEC/SecSvcConfig.pm /var/opt/log4j_bkp/
3) Make changes as mentioned below
1. File Location: /opt/VRTSitrputils/lib/modules/VRTS/ITRP/ItrpAdm/Cmdlet/service.pm
Search file for text Dfile.encoding=UTF-8 and change as following
Original line: $cmd .= " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8”
Update with: $cmd .= " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true”
2. File location: /opt/VRTSitrpapisvc/lib/modules/VRTS/ITRPAPISVC/ApiServiceConfig.pm
Search file for text Dfile.encoding=UTF-8 and change as following
Original line: " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8" .
Update with: " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true "
3. File location: /opt/VRTSitrpcs/lib/modules/VRTS/ITRPCS/CoreWebConfig.pm
Search file for text Dfile.encoding=UTF-8 and change as following
Original line: " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8"
Update with: " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true "
4. File location: /opt/VRTSitrpui/lib/modules/VRTS/ITRPUI/UIConfig.pm
Search file for text Dfile.encoding=UTF-8 and change as following
Original line: " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8"
Update with: " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true "
5. File location: /opt/VRTSitrptpc/tomcat/bin/catalina.sh
Search file for text Djava.protocol.handler.pkgs and change as following
Original line: JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
Update with: JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dlog4j2.formatMsgNoLookups=true"
6. File location: /opt/VRTSitrpsec/lib/modules/VRTS/ITRPSEC/SecSvcConfig.pm
Search file for text Dfile.encoding=UTF-8 and change as following
Original line: $cmd = $cmd . " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8";
Update with: $cmd = $cmd . " -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true ";
4) Start all services on RM
# /opt/VRTSitrp/bin/itrpadm service --start ALL
Steps to be performed for Infrastructure Management Server (IMS)
1) Stop all services on IMS
# /opt/VRTSsfmcs/bin/vomsc --stop ALL
2) Take backup of following files which will need to be updated
# mkdir -p /var/opt/log4j_bkp
#cp /opt/VRTSsfmh/bin/pbm_discoverer.pl /var/opt/log4j_bkp/
#cp /opt/VRTSsfmh/util/vcloud_disc_ops.pl /var/opt/log4j_bkp/
#cp /opt/VRTSsfmh/adm/vsphere_spbmclient.pl /var/opt/log4j_bkp/
#cp /opt/VRTSsfmcs/webgui/tomcat/bin/smw /var/opt/log4j_bkp/
3) Make changes as mentioned below
- File location: /opt/VRTSsfmh/bin/pbm_discoverer.pl
Search for text -Djava.util.logging.config.file=logging.properties in file and update it as follows
-Djava.util.logging.config.file=logging.properties -Dlog4j2.formatMsgNoLookups=true
- File location: /opt/VRTSsfmh/util/vcloud_disc_ops.pl
Search for text -Dlog4j.configurationFile and update as following
Original line: push(@cmd_arr, $java_path, '-Dlog4j.configurationFile='.$log4j_props, "-DPROC_LOG_CTX=$$", '-classpath', $classpath);
Update with: push(@cmd_arr, $java_path, '-Dlog4j.configurationFile='.$log4j_props, "-Dlog4j2.formatMsgNoLookups=true", "-DPROC_LOG_CTX=$$", '-classpath', $classpath);
- File location: /opt/VRTSsfmh/adm/vsphere_spbmclient.pl
Search for text -Djava.util.logging.config.file=logging.properties and update as following
-Djava.util.logging.config.file=logging.properties -Dlog4j2.formatMsgNoLookups=true
- File location: /opt/VRTSsfmcs/webgui/tomcat/bin/smw
Search for text Dsun.java2d.noddraw and update as following
Original line: JAVA_OPTS="${JAVA_OPTS} -Dvom.config.file=${VOM_CONFIG_FILE} -Dadmin.port=${ADMIN_PORT} -Dvom.webgui.install.dir=${WEBGUI_INSTALL_DIR} -Dssl.port=${SSL_PORT} -Dprofile=${PROFILE} -Dkeystore.file=${KEYSTORE_FILE} -Xrs -Djava.awt.headless=true -Dsun.java2d.noddraw=true"
Updated line: JAVA_OPTS="${JAVA_OPTS} -Dvom.config.file=${VOM_CONFIG_FILE} -Dadmin.port=${ADMIN_PORT} -Dvom.webgui.install.dir=${WEBGUI_INSTALL_DIR} -Dssl.port=${SSL_PORT} -Dprofile=${PROFILE} -Dkeystore.file=${KEYSTORE_FILE} -Xrs -Djava.awt.headless=true -Dsun.java2d.noddraw=true -Dlog4j2.formatMsgNoLookups=true"
4) Start all services on IMS
# /opt/VRTSsfmcs/bin/vomsc --start ALL
Impact of CVE-2021-44228 on NetBackup
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.