Install on: OpsCenter Server, OpsCenter View Builder Client 

Version 4 Readme Notes:

1. This Hotfix includes Security fixes for vulnerabilities associated with announcement VTS22-009.
2. There are no incremental updates to log4j 2.17.1 in this version. This version contains fixes related to other escalations but this also contain log4j 2.17.1 upgrade carried from previous versions because this EEB contains all fixes from version 1 to version 3 including fixes in version 4. Also no need to uninstall existing version of this EEB also.
3. Please run cleanAmginuousClients83() multiple times if you see any existing duplicate clients after single run.
   Please follow these related steps in this Tech article https://www.veritas.com/support/en_US/article.100052133
4. Please ignore message of uninstallation of previous version of this EEB. This EEB contains all fixes till date.
5. All OpsCenter services can remain running. 

VTS22-009 Advisory Link
https://www.veritas.com/content/support/en_US/security/VTS22-009

Installation Instructions/Steps:

CVE-2021-44228 FIX, Upgrade Log4j to 2.17.1

Steps to update GUI+Server and ViewBuilder Component :

Windows Steps for GUI + Server component

This new version of the EEB can be installed directly without performing an Uninstall of the previous versions of the EEB.

NOTE : If the previous version of the EEB, i.e. 4058556 v2 or v3 is already installed, then there is no need to perform upgrade steps related to log4j 2.17.1 if upgrade steps has been already done.
             
NOTE : If version 1 eeb of 4058556 i.e. OpsCenter_windows_AMD64_8302EEB_ET4058556_1.zip is already installed, then please refer 2.16.0 version of log4j instead of 2.13.3 version of log4j in below steps wherever 2.13.3 has mentioned for replacement or removal. Version 1 eeb has already removed 2.13.3 version and installed 2.16.0 version of log4j. So upgrade from version 1 of eeb to version 2 of eeb is upgrade of 2.16.0 version to 2.17.1 version of log4j.

Steps for GUI + Server component
NOTE : For customers who have deployed EEBs for this version of OpsCenter in the past for resolving inconsistencies with Client names in OpsCenter reports, please additionally refer Step-12. Others who have never installed such EEBs in the past can ignore step-12.

1. Take OpsCenter database backup, and additionally take backup of files 

[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin\OpsCenterServerService.xml
[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin\setEnv.bat
[OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui\bin\setEnv.bat

2. Install Server component of EEB (-server option of OpsCenterEEBInstaller.bat) 

3. Stop OpsCenter Services

4.  Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed,  these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

5. Note that the following are the log4j 2.13.3 file names which have the vulnerability CVE-2021-44228 these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

6. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin and open OpsCenterServerService.xml and
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\bin and open setEnv.bat and search for "2.13.3" and replace with "2.17.1". You should see 4 such entries. This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

8. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui\bin and open setEnv.bat and search for "2.13.3" and replace with "2.17.1". You should see 4 such entries. This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

9. Delete jars having version "2.13.3" mentioned in step (5) from [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\server\lib folder

10. After installing eeb and performing these steps, if there are opscenter.war files having extended naming convention similar to 
format opscenter.war.8302EEB_ET4058556_1 under [OPSCENTER_SERVER_INSTALL_LOCATION]\OpsCenter\gui, then unzip it to any location and 
please check for log4j files having version 2.13.3 or 2.16.0 under [UNZIP_LOCATION]\opscenter.war\WEB-INF\lib. If these versions are present, 
then delete these opscenter.war files having extended naming convention similar to format opscenter.war.8302EEB_ET4058556_1.

11. Start OpsCenter Services

12. For customers who have been previously reporting inconsistencies with Client names in OpsCenter reports, it is
strongly recommended to follow these additional steps in this Tech article.
https://www.veritas.com/support/en_US/article.100052133

Windows OpsCenter ViewBuilder Component

1. Take backup of files 

[OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin\OpsCenterViewBuilder.xml
[OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin\setEnv.bat

2. Install ViewBuilder component of EEB (-jvb option of OpsCenterEEBInstaller.bat) and
close ViewBuilder if it is open.

3.  Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed, 
these are present in [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

4. Note that the following are the log4j 2.13.3 file names which have the vulnerability CVE-2021-44228
these are present in [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

5. Go to folder [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin and open OpsCenterViewBuilder.xml and
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

6. Go to folder [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\bin and open setEnv.bat and 
search for "2.13.3" and replace with "2.17.1". You should see 4 such entries.

This step will ensure that classpath refers to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Delete jars having version "2.13.3" mentioned in step (4) from [OPSCENTER_VIEWBUILDER_INSTALL_LOCATION]\OpsCenter\viewbuilder\lib folder

8. Launch ViewBuilder

Linux Steps for GUI + Server component

This new version of the EEB can be installed directly without performing an Uninstall of the previous versions of the EEB.

NOTE : If the previous version of the EEB, i.e. 4058556 v2 or v3 is already installed, then there is no need to perform upgrade steps related to log4j 2.17.1 if upgrade steps has been already done.

NOTE : If version 1 eeb of 4058556 i.e. OpsCenter_LinuxR_x86_x86_64_8302EEB_ET4058556_1.tar.gz is already installed, then please refer 2.16.0 version of log4j instead of 2.13.3 version of log4j in below steps wherever 2.13.3 has mentioned for replacement or removal. Version 1 eeb has already removed 2.13.3 version and installed 2.16.0 version of log4j. So upgrade from version 1 of eeb to version 2 of eeb is upgrade of 2.16.0 version to 2.17.1 version of log4j.

Steps for GUI + Server component

NOTE : For customers who have deployed EEBs for this version of OpsCenter in the past for resolving inconsistencies with Client names in OpsCenter reports, please additionally refer Step-11. Others who have never installed such EEBs in the past can ignore step-11.

1. Take OpsCenter database backup, and additionally take backup of following files 

[OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/bin/setEnv.sh 
[OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI/bin/setEnv.sh 

2. Install Server component of EEB (-server option of OpsCenterEEBInstaller.sh)

3. Stop OpsCenter Services

4. Note that the following are the log4j 2.17.1 file names which have CVE-2021-44228 fixed,  these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-jcl-2.17.1.jar
log4j-web-2.17.1.jar

5. Note that the following are the log4j file names which have the vulnerability CVE-2021-44228 these are present in [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-jcl-2.13.3.jar
log4j-web-2.13.3.jar

6. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/bin and open setEnv.sh and search for "2.13.3" and replace with "2.17.1". You should see 4 such entries. This step will ensure that OpsCenter is able to point to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar and similarly for all other log4j jars.

7. Go to folder [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI/bin/ and open setEnv.sh and search for "2.13.3" and replace with "2.17.1". You should see 4 such entries. This step will ensure that OpsCenter is able to point to log4j-api-2.17.1.jar instead of log4j-api-2.13.3.jar 
and similarly for all other log4j jars.

8. Delete the jar files having version "2.13.3" mentioned in step (5) from [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterServer/lib folder

9. After installing eeb and performing these steps, if there are opscenter.war files having extended naming convention similar to 
format opscenter.war.8302EEB_ET4058556_1 under [OPSCENTER_SERVER_INSTALL_LOCATION]/SYMCOpsCenterGUI, then unzip it to any location and 
please check for log4j files having version 2.13.3 or 2.16.0 under [UNZIP_LOCATION]/opscenter.war/WEB-INF/lib. If these versions are present, 
then delete these opscenter.war files having extended naming convention similar to format opscenter.war.8302EEB_ET4058556_1.

10. Start OpsCenter Services

11. For customers who have been previously reporting inconsistencies with Client names in OpsCenter reports, it is strongly recommended to follow these additional steps in this Tech article.
https://www.veritas.com/support/en_US/article.100052133

Using OpsCenter Emergency Engineering Binary (EEB) installer on Windows
1) Download the appropriate EEB package into into the C:\tmp directory.                        
2) Extract the EEB package.
3) As admin user on the Opscenter server/agent, install the EEB as follows.
    OpsCenterEEBInstaller.bat [-server | -agent | -jvb ] base-directory
   
     OpsCenterEEBInstaller.bat -server base_directory_of_server_installation_in_quotes
       e.g.  OpsCenterEEBInstaller.bat -server "C:\Program Files\Symantec"
   
     OpsCenterEEBInstaller.bat -agent base_directory_of_agent_installation_in_quotes
      e.g.   OpsCenterEEBInstaller.bat -agent "C:\Program Files\Symantec"
       
     OpsCenterEEBInstaller.bat -jvb base_directory_of_viewbuilder_installation_in_quotes
      e.g. OpsCenterEEBInstaller.bat -jvb "C:\Program Files\Symantec" 

Using OpsCenter Emergency Engineering Binary (EEB) installer on Linux

1) Download the appropriate EEB package into into the cd /tmp/OpsCenterEEBInstaller/unix                        
2) Extract the EEB package.
3) As root on the Opscenter server/agent, install the EEB package binaries as follows.
   cd /tmp/OpsCenterEEBInstaller/unix
   /bin/sh ./OpsCenterEEBInstaller.sh [-server | -agent] base-directory
   
   /bin/sh ./OpsCenterEEBInstaller.sh -server base_directory_of_server_installation
    e.g.  /bin/sh ./OpsCenterEEBInstaller.sh -server /opt
    
   /bin/sh ./OpsCenterEEBInstaller.sh -agent base_directory_of_agent_installation
    e.g.  /bin/sh ./OpsCenterEEBInstaller.sh -agent /opt

To Uninstall EEB on Windows:

1) As admin user on the Opscenter server/agent, uninstall the 
   EEB as follows.
       cd to the folder where the EEB package was extracted. 
         OpsCenterEEBInstaller.bat [-rollbackserver | -rollbackagent | -rollbackviewbuilder] base-directory
      
          OpsCenterEEBInstaller.bat  -rollbackserver base_directory_of_server_installation_in_quotes
      e.g. OpsCenterEEBInstaller.bat -rollbackserver "C:\Program Files\Symantec"
      
            OpsCenterEEBInstaller.bat -rollbackagent base_directory_of_agent_installation_in_quotes
    e.g. OpsCenterEEBInstaller.bat -rollbackagent "C:\Program Files\Symantec"
       
       OpsCenterEEBInstaller.bat -rollbackviewbuilder base_directory_of_agent_installation_in_quotes
   e.g. OpsCenterEEBInstaller.bat -rollbackviewbuilder "C:\Program Files\Symantec"

[Note : An EEB pack can only rollback itself]

To Uninstall EEB on Linux:
1) As a root user on the Opscenter server/agent, uninstall the 
   EEB package binaries as follows.

   cd /tmp/OpsCenterEEBInstaller/unix
   /bin/sh ./OpsCenterEEBInstaller.sh [-rollbackserver | -rollbackagent] base_directory
   
              /bin/sh ./OpsCenterEEBInstaller.sh -rollbackserver base_directory_of_server_installation
      e.g. /bin/sh ./OpsCenterEEBInstaller.sh -rollbackserver /opt
   
               /bin/sh ./OpsCenterEEBInstaller.sh  -rollbackagent base_directory_of_agent_installation
        e.g.  /bin/sh ./OpsCenterEEBInstaller.sh -rollbackagent /opt

[Note : An EEB pack can only rollback itself]  

Downloads:

NB_8.3.0.2_ET4058556_4.zip
NB_8_3_0_2_ET4058556_4_README.pdf

Checksums for all files (cksum):
File                                                                                                                      Checksum       Byte count
all/OpsCenter_LinuxR_x86_x86_64_8302EEB_ET4058556_4.tar.gz      1237671292    112996850
all/OpsCenter_LinuxS_x86_x86_64_8302EEB_ET4058556_4.tar.gz      107639356       112996856
all/OpsCenter_windows_AMD64_8302EEB_ET4058556_4.zip               1529871652    123223056