CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

Translation Notice

Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.

CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

HotFix

Update ID: UPD163508

Version: 3.4 - 4.0

Platform: Linux

Release date: 2022-01-21

Abstract

Impact of CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

Description

This fix has the mitigation steps for the CVE-2021-44228 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

Problem
Impact of CVE-2021-44228 and CVE 2021-45105 Apache Log4j Vulnerability on Veritas Resiliency Platform Versions 3.4 to 4.0

The product is not impacted by CVE 2021-45105.
Mitigation steps for CVE-2021-44228

Steps for Resiliency Manager and Infrastructure Manager Server to extract the files

1. Download the zip file VRP-Log4j-patch-jar-replace.tar.gz.zip from download center and extract the tar file VRP-Log4j-patch-jar-replace.tar.gz

2. Perform the following steps to upload the tar bundle file to appliance

Open the SFTP session from clish
utilities> sftp-session start put patch
Provide the password for this temporary SFTP session
Open SFTP session using the above created user information and upload the tar bundle

3. Stop the SFTP session after uploading the tar bundle file

utilities> sftp-session stop

4. Login to the appliance using the admin user and go to the support shell using a support login. Contact veritas support if you do not have access to the support shell

5. Create a temporary directory to extract the tar bundle file. If directory already exist then move its content to different location

# mkdir /tmp/log4j_2_17_1_patch

6. Create a directory to backup. If directory already exist then move its content to different location.

# mkdir /var/opt/log4j_backup.

7. Copy the uploaded file on the directory /tmp/log4j_2_17_1_patch

# cp /var/opt/VRTSitrp/patches/VRP-Log4j-patch-jar-replace.tar.gz /tmp/log4j_2_17_1_patch

8. Move to dir /tmp/log4j_2_17_1_patch

# cd /tmp/log4j_2_17_1_patch

9. Extract the tar bundle file

# tar -xvf VRP-Log4j-patch-jar-replace.tar.gz

Steps to apply fix for Resiliency Manager
1. Stop the RM services

# /opt/VRTSitrp/bin/itrpadm service --stop all

# /opt/VRTSitrp/bin/itrpadm service --status all

2. The tar bundle file has jar files and a perl script. Run the perl script to apply the fix

# cd /tmp/log4j_2_17_1_patch/

# ./patch_log4j_jars.pl /tmp/log4j_2_17_1_patch/ /var/opt/log4j_backup

3. Start the RM service

# /opt/VRTSitrp/bin/itrpadm service --start all

# /opt/VRTSitrp/bin/itrpadm service --status all

Steps to apply fix for Infrastructure Manager Server
1. Stop the IMS services

# /opt/VRTSsfmcs/bin/vomsc --stop ALL

# /opt/VRTSsfmcs/bin/vomsc --status ALL

2. The tar bundle file has jar files and a perl script. Run the perl script to apply the fix

# cd /tmp/log4j_2_17_1_patch/

# ./patch_log4j_jars.pl /tmp/log4j_2_17_1_patch/ /var/opt/log4j_backup

3. Start the IMS service

# /opt/VRTSsfmcs/bin/vomsc --start ALL

# /opt/VRTSsfmcs/bin/vomsc --status ALL

If user faces any issue while deploying this fix or if appliance services are not coming up post installation of the fix then contact Veritas support.

Applies to the following product releases

Resiliency Platform 3.4

Release date: 2019-09-02

End of support life: 2022-07-29

Resiliency Platform 3.5.0.0

Release date: 2020-07-29

End of support life: 2023-07-29

Resiliency Platform 3.6.0.0

Release date: 2021-01-01

End of support life: 2024-01-01

Resiliency Platform 4.0.0.0

Release date: 2021-06-07

End of support life: 2024-06-07

Update files

	File name	Description	Version	Platform	Size

Choose an account to download the files you selected.