Is there any solution for fixing this critical issue ?
only version 10.20, 10,30 10,40 need intall some files, need to open case to request the file,and versions 10.50, 10.60, 10.70, 10.80, 10.90, 10.91 and 11.00 is only add one varible.
Micro Focus has created this site with status updates:
Also you can visit the Product Support portal for a list…
Kindly note that we are not aware of any current indications of compromise related to Log4j compromise or related vulnerabilities.
We have a robust, dedicated, full-time threat intelligence team with a…
We have an old version of Data Protector which we are moving away from. Can you please tell me if this version has the vulnerability?
HPE Data Protector A.09.09: OMNICC, internal build 114, built on Tuesday, March
28, 2017, 6:02 PM
Support tells me that I do not need a fix since I am running 10.91
But I see two occurances of log4j.jar in telemetry foleder:
There is also one occurance, which is reported by vulnerability checker at:
And last but not the least, a huge number of occurances under tmp/AppServer/vfs:
I ran some tests today (as I also have a fair few DP9 customers) and as far as I can tell, you *are* impacted by this vulnerability as with GUI / User Interface / Cell Console agent on DP9.09 and higher, as there is a log4j-core-2.6.2.jar file located in \OmniBack\bin\telemetry or /opt/omni/bin/telemetry.
Your best bet right now is to UNINSTALL the GUI / User Interface / Cell Console agent on all possible clients, that minimises your footprint. And plan your DP10 upgrade asap. I'm running further tests at the moment to see if the fix for 10.20 can be used in DP9.09 or not.
Thanks very much Jenni.
Our DP expert is on vacation.
We are moving off DP to another backup solution.
We have about a dozen servers left to do.
I believe our NESSUS scan only shows the vulnerability on 4 servers.
I do not know how to even determine which components are installed on the servers that show up on the NESSUS report.
Is this something that support would be able to assist with when I am on a call with them? We do have a current support contract.
I will wait to hear from you as to whether the mitigation for the 10.x versions will work on our old installation.
I ran a compare between the DP9.09 log4j-core-2.6.2.jar file and the DP10.20 hotfix log4j-core-2.6.2.jar file, and the ONLY difference is the JndiLookup.class is missing from the hotfix, which matches the fix described in https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.
So buyer beware etc etc, but I am advising my DP9.09 customers to use the DP10.20 hotfix instructions & file to resolve this on DP9.09 environments.
Screenshot enclosed with the comparison.
Also, if you want to remove the issue (uninstall the User Interface) this is how you do that:
Log onto client
Go to control panel -> programs -> Select MF Data Protector -> Change/Modify
Go through the windows until you get to the agents
- Deselect User Interface
- Deselect Documentation
Go through the windows until you get to Finish
Wait until completed