VRTSaccess-app-EEB-ET4064045-7.4.3.0-1.x86

Translation Notice

Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.

VRTSaccess-app-EEB-ET4064045-7.4.3.0-1.x86_64(article 100052105)

HotFix

Update ID: UPD826600

Version: 7.4.3

Platform: Appliance

Release date: 2022-02-09

Abstract

The EEB 4064045 will upgrade log4j to a newer version 2.17.1

Description

Vulnerability scanners may still report the Log4j vulnerabilities even after applying the provided mitigation steps. This is expected as most scanners are not designed to account for the mitigations.

The initial EEB 4059261 only applied the mitigation, whereas the new EEB 4064045 upgrades log4j to a newer version 2.17.1.

Impact Summary

There are Access Appliance Component(s) that use the vulnerable Apache Log4j version. However, the component(s) do not have any interface(s) that are exposed outside of the Access Appliance through any public IPs. Hence there is no exposure from any external user.

While there is no exposure from external users, in order to mitigate the vulnerability as recommended by Apache, the hot fix or the manual mitigation steps will remove the vulnerable java class from the relevant jar files. However, as the jar file still exists, security scans may continue to flag the vulnerable jar file even though the vulnerable class has been removed.

Regarding log4j specifically, there is no difference in mitigation steps for Access 7.4.3.000, Access 7.4.3.100, or Access 7.4.3.200.

Veritas recommends upgrading to 7.4.3.200 patch where the EEB to upgrade log4j to a newer version can be applied.

If upgrading to Access 7.4.3.200 from an earlier version than Access 7.4.2.400, you must upgrade to 7.4.2.400, 7.4.3.000, or 7.4.3.100 first. Please see the Access 7.4.3.200 release notes here, and please engage Veritas Support regarding considerations for upgrading to 7.4.3.x, with reference to internal KB article 100051697.

Mitigation for Access Appliance 7.4.3.x with Hot Fix

Veritas has provided a Hot Fix 4064045 that upgrades log4j to a newer version. The initial hotfix, 4059261 removes the vulnerable JNDI Lookup class.

If the initial hotfix is already applied, then remove it prior to installing the newer hotfix.

This Hot Fix will only need to be copied to a single node; the installation process will sync the file to the second node in the cluster and apply the fix to both nodes. There are no downtime of any production services or reboots needed to apply this update. The AutoSupport services will be restarted with both the Hot Fix or manual steps; however these are "non-production" services that are used for internal reporting - no data services such as file access or LTR, etc, are impacted.

1. Download the Hot Fix from here

2. Copy the Hot Fix to a single node of the 3340 Appliance cluster

2a. Open a CIFS or NFS share via the Access Appliance CLISH to move the Hot Fix to the cluster node:

accessnode-01.Main_Menu> Manage accessnode-01.Manage> Software accessnode-01.Software> Share Open - [Info] Created a NFS share for sharing the patches. - [Info] You can access the NFS share at accessnode-01:/inst/patch/appliance/available. To ensure appliance security, use the Share Close command to remove the share after downloading the required patches. - [Info] Created a CIFS share for sharing the patches. - [Info] You can access the CIFS share at \\accessnode-01\incoming_patches. To ensure appliance security, use the Share Close command to remove the share after downloading the required patches.

3. Copy the Hot Fix to the CIFS or NFS directory

4. Close the share.
accessnode-01.Software> Share Close

5. List the downloaded file:

accessnode-01.Software> List Downloaded

| Name | VRTSaccess-app-EEB-ET4059261-7.4.3.0-1.x86_64.rpm

6. Rollback the original EEB, 4059261, if it was installed

accessmode-01.Software> Rollback VRTSaccess-app-EEB-ET4059261-7.4.3.0-1.x86_64

7. Install the Hot Fix
accessnode-01.Software> Install VRTSaccess-app-EEB-ET4064045-7.4.3.0-1.x86_64.rpm - [Info] Install EEB process started, please wait a moment... - [Info] accessnode-01 - Prechecking for install the EEB... - [Info] accessnode-02 - Prechecking for install the EEB... - [Info] accessnode-01 - Installing the EEB... - [Info] accessnode-02 - Installing the EEB... - [Info] V-409-777-7003: Installed EEB VRTSaccess-app-EEB-ET4064045-7.4.3.0-1.x86_64.rpm successfully.

7. (Optional) Use the steps listed in the manual mitigation steps below to validate that the JndiLookup.class is now taken from log4j version 2.17.1.

# for log4jcore in `find /opt -name \*log4j\*core\*.jar 2> /dev/null`;do echo "In the file: $log4jcore"; unzip -l "$log4jcore" | grep JndiLookup.class; done In the file: /opt/autosupport/fileuploader/lib/log4j-core-2.17.1.jar 3158 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class In the file: /opt/autosupport/analyzer/lib/log4j-core-2.17.1.jar 3158 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class In the file: /opt/autosupport/alertmanager/lib/log4j-core-2.17.1.jar 3158 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class In the file: /opt/autosupport/transmission/lib/log4j-core-2.17.1.jar 3158 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class In the file: /opt/apache-tomcat/vxos/webapps/ascws/WEB-INF/lib/log4j-core-2.17.1.jar 3158 12-27-2021 17:30 org/apache/logging/log4j/core/lookup/JndiLookup.class

Applies to the following product releases

Access Appliance OS 7.4.3

Release date: 2021-05-03

End of support life: 2024-05-03

Update files

	File name	Description	Version	Platform	Size

Choose an account to download the files you selected.