Data Protector log4j vulnerability

Is there any solution for fixing this critical issue ?

  • Hi Boris,

    Micro Focus has created this site with status updates:

    https://www.microfocus.com/en-us/about/product-security-response-center/log4j

    Also you can visit the Product Support portal for a list of the security bulletins to the Log4j.

    https://portal.microfocus.com/s/customportalsearch?language=en_US&searchtext=CVE-2021-44228

    Here appears what to do with DP:

    CVE-2021-44228 vulnerability for Micro Focus Data Protector

    https://portal.microfocus.com/s/article/KM000003052?language=en_US

    Hope this can help but  review regularly these sites for next updates.

    Rgds

    /TR

  • Kindly note that we are not aware of any current indications of compromise related to Log4j compromise or related vulnerabilities.

    We have a robust, dedicated, full-time threat intelligence team with a Microfocus-wide view that is constantly reviewing new reports of vulnerabilities, threats, and compromises for possible impact on our information assets.

    1. Are you aware of Log4J or Logshell/LogJam ( CVE-2021-44228 )?

    Yes, and at this point Micro Focus’ review has found no indications of a vulnerability being exploited. We continue to monitor closely.

    2. What is Micro Focus doing?

    The appropriate security teams are fully engaged and have been since we were first alerted on Friday.

    We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.

    In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject.

    At the Micro Focus network enterprise-level, our internal security tooling has been updated and we will continue to monitor our operations for issues.

  • Suggested Answer

    Good Morning Community

    Here is the oficial customer advisory.

    https://portal.microfocus.com/s/article/KM000003052?language=en_US

    Best Regards

  • hi,

    only version 10.20, 10,30 10,40 need intall some files, need to open case to request the file,and versions  10.50, 10.60, 10.70, 10.80, 10.90, 10.91 and 11.00 is only add one varible.

    Windows:

    1. Stop the reporting server if running, using the following command

    sc.exe stop rs_rest-as

    1. Stop the telemetry service if running, using the following command.

    sc.exe stop "Data Protector Telemetry Client Service"

    1. Add environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS using the following command.

    setx /m LOG4J_FORMAT_MSG_NO_LOOKUPS true

    1. Start the telemetry service if stopped in step 2 using the following command

    sc.exe start "Data Protector Telemetry Client Service"

    1. Start the reporting server if stopped in step1 using the following command.

    sc.exe start rs_rest-as

    Linux:

    1. Stop the reporting server if running, using the following command

    /etc/init.d/rs_rest-as stop

    1. Stop the telemetry service if running, using the following command.

    /opt/omni/bin/telemetry/dataprotector-telemetry-client-service.sh stop

    1. Add environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS using the following procedure.
    2. Create a file /etc/profile.d/dp.sh with the content “export LOG4J_FORMAT_MSG_NO_LOOKUPS=true”
    3. Run “export LOG4J_FORMAT_MSG_NO_LOOKUPS=true”
    4. Start the telemetry service if stopped in step 2 using the following command

    /opt/omni/bin/telemetry/dataprotector-telemetry-client-service.sh start

    1. Start the reporting server if stopped in step1 using the following command.

    /etc/init.d/rs_rest-as start

  • Hi ,

    microfocus created new fix for version from 10,20 to 11, open a call to request de binary.

    regards

  • We have an old version of Data Protector which we are moving away from.  Can you please tell me if this version has the vulnerability? 

    C:\Windows\system32>omnicc -version
    HPE Data Protector A.09.09: OMNICC, internal build 114, built on Tuesday, March
    28, 2017, 6:02 PM

  • Support tells me that I do not need a fix since I am running 10.91 Slight smile

    But I see two occurances of log4j.jar in telemetry foleder:

    C:\Program Files\OmniBack\bin\telemetry\log4j-api-2.11.2.jar
    C:\Program Files\OmniBack\bin\telemetry\log4j-core-2.11.2.jar

    There is also one occurance, which is reported by vulnerability checker at:

    C:\Program Files\OmniBack\AppServer\modules\system\layers\base\org\jboss\log4j\logmanager\main\log4j-jboss-logmanager-1.2.0.Final.jar

    And last but not the least, a huge number of occurances under tmp/AppServer/vfs:

    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-c59c9d8dffafd2f8

    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-83c645e5284f3aac
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-de5a23e33f0b44f7
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-593e545f19dc49a
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-eda4a285faaa9b2a

  • They updated the KB https://portal.microfocus.com/s/article/KM000003052?language=en_US last night - you now need a fix regardless of the DP10/11 version:

    Contact DP support to get the HotFix (DP1XXX_b000_OCTCR19Q1469146_HF1) mentioning the version of Data protector used in your environment and replace the following files from the files of the HotFix. 

     <DP_INSTALLATION_PATH>\bin\components\reporting.war 

      For Micro Focus Data Protector versions 10.20, 10.30, 10.40, 10.50 and 10.60 

    ----------------------------------------------------------------------------------------------- 

    <DP_INSTALLATION_PATH>\bin\telemetry\log4j-core-2.6.2.jar 

     

    For Micro Focus Data Protector versions 10.70, 10.80, 10.90, 10.91 and 11.00 

    ----------------------------------------------------------------------------------------------- 

    <DP_INSTALLATION_PATH>\bin\telemetry\ log4j-core-2.11.2.jar