Data Protector log4j vulnerability

Is there any solution for fixing this critical issue ?

Parents Reply Children
  • We have an old version of Data Protector which we are moving away from.  Can you please tell me if this version has the vulnerability? 

    C:\Windows\system32>omnicc -version
    HPE Data Protector A.09.09: OMNICC, internal build 114, built on Tuesday, March
    28, 2017, 6:02 PM

  • Support tells me that I do not need a fix since I am running 10.91 Slight smile

    But I see two occurances of log4j.jar in telemetry foleder:

    C:\Program Files\OmniBack\bin\telemetry\log4j-api-2.11.2.jar
    C:\Program Files\OmniBack\bin\telemetry\log4j-core-2.11.2.jar

    There is also one occurance, which is reported by vulnerability checker at:

    C:\Program Files\OmniBack\AppServer\modules\system\layers\base\org\jboss\log4j\logmanager\main\log4j-jboss-logmanager-1.2.0.Final.jar

    And last but not the least, a huge number of occurances under tmp/AppServer/vfs:

    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-c59c9d8dffafd2f8

    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-83c645e5284f3aac
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-de5a23e33f0b44f7
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-593e545f19dc49a
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-eda4a285faaa9b2a

  • Hi Terri,

    I ran some tests today (as I also have a fair few DP9 customers) and as far as I can tell, you *are* impacted by this vulnerability as with GUI / User Interface / Cell Console agent on DP9.09 and higher, as there is a log4j-core-2.6.2.jar file located in \OmniBack\bin\telemetry or /opt/omni/bin/telemetry.

    Your best bet right now is to UNINSTALL the GUI / User Interface / Cell Console agent on all possible clients, that minimises your footprint. And plan your DP10 upgrade asap. I'm running further tests at the moment to see if the fix for 10.20 can be used in DP9.09 or not.

  • Thanks very much Jenni.

    Our DP expert is on vacation.

    We are moving off DP to another backup solution.

    We have about a dozen servers left to do.

     I believe our NESSUS scan only shows the vulnerability on 4 servers.

    I do not know how to even determine which components are installed on the servers that show up on the NESSUS report.

    Is this something that support would be able to assist with when I am on a call with them?  We do have a current support contract.

    I will wait to hear from you as to whether the mitigation for the 10.x versions will work on our old installation.

    Thanks again

    Terri

  • Hi Terri,

    I ran a compare between the DP9.09 log4j-core-2.6.2.jar file and the DP10.20 hotfix  log4j-core-2.6.2.jar file, and the ONLY difference is the JndiLookup.class is missing from the hotfix, which matches the fix described in https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.

    So buyer beware etc etc, but I am advising my DP9.09 customers to use the DP10.20 hotfix instructions & file to resolve this on DP9.09 environments.

    Screenshot enclosed with the comparison.

  • Thanks Jenni

    I only show these 2 DP services running on the SQL server cluster where we see this vulnerability - does that mean I only need to follow direction for the telemetry portion of the fix and not the Report Server section?

    Terri

  • Yes, Reporting server is a DP10 feature, it didn't exist in DP9.

  • Also, if you want to remove the issue (uninstall the User Interface) this is how you do that:

    Log onto client

    Go to control panel -> programs -> Select MF Data Protector -> Change/Modify

    Go through the windows until you get to the agents

    - Deselect User Interface

    - Deselect Documentation

    Go through the windows until you get to Finish

    Wait until completed

  • Again, please pardon my ignorance or the product and thank you for your patience with that....

    Will doing this just remove the user interface portion on the servers on which I do this but still allow the backup to keep running as it is now?

    Thanks Jenni