Following

I too am interested in this.

Hi Boris,

Micro Focus has created this site with status updates:

https://www.microfocus.com/en-us/about/product-security-response-center/log4j

Also you can visit the Product Support portal for a list of the security bulletins to the Log4j.

https://portal.microfocus.com/s/customportalsearch?language=en_US&searchtext=CVE-2021-44228

Here appears what to do with DP:

CVE-2021-44228 vulnerability for Micro Focus Data Protector

https://portal.microfocus.com/s/article/KM000003052?language=en_US

Hope this can help but  review regularly these sites for next updates.

Rgds

/TR

Kindly note that we are not aware of any current indications of compromise related to Log4j compromise or related vulnerabilities.

We have a robust, dedicated, full-time threat intelligence team with a Microfocus-wide view that is constantly reviewing new reports of vulnerabilities, threats, and compromises for possible impact on our information assets.

1. Are you aware of Log4J or Logshell/LogJam ( CVE-2021-44228 )?

Yes, and at this point Micro Focus’ review has found no indications of a vulnerability being exploited. We continue to monitor closely.

2. What is Micro Focus doing?

The appropriate security teams are fully engaged and have been since we were first alerted on Friday.

We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.

In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject.

At the Micro Focus network enterprise-level, our internal security tooling has been updated and we will continue to monitor our operations for issues.

Good Morning Community

Here is the oficial customer advisory.

https://portal.microfocus.com/s/article/KM000003052?language=en_US

Best Regards

hi,

only version 10.20, 10,30 10,40 need intall some files, need to open case to request the file,and versions  10.50, 10.60, 10.70, 10.80, 10.90, 10.91 and 11.00 is only add one varible.

Windows:

1. Stop the reporting server if running, using the following command

sc.exe stop rs_rest-as

2. Stop the telemetry service if running, using the following command.

sc.exe stop "Data Protector Telemetry Client Service"

3. Add environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS using the following command.

setx /m LOG4J_FORMAT_MSG_NO_LOOKUPS true

4. Start the telemetry service if stopped in step 2 using the following command

sc.exe start "Data Protector Telemetry Client Service"

5. Start the reporting server if stopped in step1 using the following command.

sc.exe start rs_rest-as

Linux:

1. Stop the reporting server if running, using the following command

/etc/init.d/rs_rest-as stop

2. Stop the telemetry service if running, using the following command.

/opt/omni/bin/telemetry/dataprotector-telemetry-client-service.sh stop

3. Add environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS using the following procedure.
4. Create a file /etc/profile.d/dp.sh with the content “export LOG4J_FORMAT_MSG_NO_LOOKUPS=true”
5. Run “export LOG4J_FORMAT_MSG_NO_LOOKUPS=true”
6. Start the telemetry service if stopped in step 2 using the following command

/opt/omni/bin/telemetry/dataprotector-telemetry-client-service.sh start

5. Start the reporting server if stopped in step1 using the following command.

/etc/init.d/rs_rest-as start

Hi ,

microfocus created new fix for version from 10,20 to 11, open a call to request de binary.

regards

We have an old version of Data Protector which we are moving away from.  Can you please tell me if this version has the vulnerability? 

C:\Windows\system32>omnicc -version
HPE Data Protector A.09.09: OMNICC, internal build 114, built on Tuesday, March
28, 2017, 6:02 PM

Support tells me that I do not need a fix since I am running 10.91

But I see two occurances of log4j.jar in telemetry foleder:

C:\Program Files\OmniBack\bin\telemetry\log4j-api-2.11.2.jar
C:\Program Files\OmniBack\bin\telemetry\log4j-core-2.11.2.jar

There is also one occurance, which is reported by vulnerability checker at:

C:\Program Files\OmniBack\AppServer\modules\system\layers\base\org\jboss\log4j\logmanager\main\log4j-jboss-logmanager-1.2.0.Final.jar

And last but not the least, a huge number of occurances under tmp/AppServer/vfs:

E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-c59c9d8dffafd2f8

E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-83c645e5284f3aac
E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-de5a23e33f0b44f7
E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-593e545f19dc49a
E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-eda4a285faaa9b2a

They updated the KB https://portal.microfocus.com/s/article/KM000003052?language=en_US last night - you now need a fix regardless of the DP10/11 version:

Contact DP support to get the HotFix (DP1XXX_b000_OCTCR19Q1469146_HF1) mentioning the version of Data protector used in your environment and replace the following files from the files of the HotFix. 

 <DP_INSTALLATION_PATH>\bin\components\reporting.war 

  For Micro Focus Data Protector versions 10.20, 10.30, 10.40, 10.50 and 10.60 

----------------------------------------------------------------------------------------------- 

<DP_INSTALLATION_PATH>\bin\telemetry\log4j-core-2.6.2.jar 

For Micro Focus Data Protector versions 10.70, 10.80, 10.90, 10.91 and 11.00 

----------------------------------------------------------------------------------------------- 

<DP_INSTALLATION_PATH>\bin\telemetry\ log4j-core-2.11.2.jar