Description
The Vulnerability only impacts NetBackup Appliance MSDP 3.1.2 and 3.2.
About CVE-2021-44228, CVE-2021-45046 Apache Log4j Vulnerabilities
Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) and a denial of service vulnerability (CVE-2021-45046) affecting Log4j versions 2.0-beta9 to 2.15. A remote attacker could exploit these vulnerabilities to take control of an affected system.
More information is available from the Apache Announcement and recommends upgrading to the latest Log4j 2.16.0 or applying recommended mitigations immediately.
Issue
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Severity: Critical
Base CVSS Score: 10.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046: Apache Log4j2 JNDI features do not protect against malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.
Severity: Low
Base CVSS Score: 3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
For appliance 3.1.2 and 3.2, to mitigate the Log4j Vulnerability for MSDP, please follow the steps below:
1. Login to appliance CLISH and get to elevated shell:
Main_Menu> Support
Entering NetBackup support view...
.Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password:
maintenance-!> /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh;elevate
2. Make a backup copy of the file /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar by running:# cp /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar.orig.log4j2
Remove JndiLookup class by running:
# zip -q -d /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Verify the class is not present by running:
# unzip -l /usr/openv/pdde/pdes/lib/log4j-core-2.9.1.jar | grep JndiLookup
There should be no output containing JndiLookup.
4. Verrify if the service is running or not:
# bpps -a | grep pdde-es
# systemctl status pdde-es
If the service is NOT running, skip Step 5.
5. Restart pdde-es service by running
# systemctl restart pdde-es.service
Note: Existing Instant Access VMs are not affected by the steps. Instant Access functions will continue to work after the steps.
For Appliance upgraded from 3.1.2 or 3.2, Log4j is not used any more for MSDP and please follow the steps below in case the Log4j files are not completely removed during upgrade:
1. Get elevated shell like above.
2. run the command "rm -rf /usr/openv/pdde/pdes"
For NetBackup BYO Server (Redhat only) 8.1.2 and 8.2, the Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running:
# rm -f /usr/openv/pdde/pdes/pdes.tar.gz
For NetBackup BYO MSDP Server 8.3 and later, pdes.tar.gz is removed from the rpm.
For NetBackup Cloud Catalyst Media Servers the Log4j is packaged in /usr/openv/pdde/pdes/pdes.tar.gz. It is not extracted and doesn't run. You can copy it to a safe place in case it is needed and remove the package from the server by running:
# rm -f /usr/openv/pdde/pdes/pdes.tar.gz
NOTES:
If a 3.1.2 or 3.2, customer removes pdes.tar.gz, during later upgrade, there will be a warning in pdde installation trace file, /tmp/install_VRTSpddes.rpm_trace.<pid>:
warning: file /usr/openv/pdde/pdes/pdes.tar.gz: remove failed: No such file or directory
This warning does not affect the upgrade.
Questions
For any other questions regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.