• State Suggested Answer
  • Replies replies
    53
  • Answers answer
    1
  • Subscribers subscribers
    20
  • Views views
    3345
  • Users 0 members are here
  • +2 person also asked this people also asked this
Related Discussions
Options

Data Protector log4j vulnerability

Boris Virc

Is there any solution for fixing this critical issue ?

Parents Reply Children
  • 0
    in reply to Eblyn Solis

    We have an old version of Data Protector which we are moving away from.  Can you please tell me if this version has the vulnerability? 

    C:\Windows\system32>omnicc -version
    HPE Data Protector A.09.09: OMNICC, internal build 114, built on Tuesday, March
    28, 2017, 6:02 PM

  • 0
    in reply to Eblyn Solis

    Support tells me that I do not need a fix since I am running 10.91 Slight smile

    But I see two occurances of log4j.jar in telemetry foleder:

    C:\Program Files\OmniBack\bin\telemetry\log4j-api-2.11.2.jar
    C:\Program Files\OmniBack\bin\telemetry\log4j-core-2.11.2.jar

    There is also one occurance, which is reported by vulnerability checker at:

    C:\Program Files\OmniBack\AppServer\modules\system\layers\base\org\jboss\log4j\logmanager\main\log4j-jboss-logmanager-1.2.0.Final.jar

    And last but not the least, a huge number of occurances under tmp/AppServer/vfs:

    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-c59c9d8dffafd2f8

    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-83c645e5284f3aac
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-de5a23e33f0b44f7
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-593e545f19dc49a
    E:\ProgramData\OmniBack\tmp\AppServer\vfs\deployment\deploymentf24466c965d350b2\slf4j-log4j12-1.6.1.jar-eda4a285faaa9b2a

  • 0
    in reply to Terri Jackman

    Hi Terri,

    I ran some tests today (as I also have a fair few DP9 customers) and as far as I can tell, you *are* impacted by this vulnerability as with GUI / User Interface / Cell Console agent on DP9.09 and higher, as there is a log4j-core-2.6.2.jar file located in \OmniBack\bin\telemetry or /opt/omni/bin/telemetry.

    Your best bet right now is to UNINSTALL the GUI / User Interface / Cell Console agent on all possible clients, that minimises your footprint. And plan your DP10 upgrade asap. I'm running further tests at the moment to see if the fix for 10.20 can be used in DP9.09 or not.

  • 0
    in reply to Jenni_S

    Thanks very much Jenni.

    Our DP expert is on vacation.

    We are moving off DP to another backup solution.

    We have about a dozen servers left to do.

     I believe our NESSUS scan only shows the vulnerability on 4 servers.

    I do not know how to even determine which components are installed on the servers that show up on the NESSUS report.

    Is this something that support would be able to assist with when I am on a call with them?  We do have a current support contract.

    I will wait to hear from you as to whether the mitigation for the 10.x versions will work on our old installation.

    Thanks again

    Terri

  • 0
    in reply to Terri Jackman

    Hi Terri,

    I ran a compare between the DP9.09 log4j-core-2.6.2.jar file and the DP10.20 hotfix  log4j-core-2.6.2.jar file, and the ONLY difference is the JndiLookup.class is missing from the hotfix, which matches the fix described in https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.

    So buyer beware etc etc, but I am advising my DP9.09 customers to use the DP10.20 hotfix instructions & file to resolve this on DP9.09 environments.

    Screenshot enclosed with the comparison.

  • 0
    in reply to Jenni_S

    Thanks Jenni

    I only show these 2 DP services running on the SQL server cluster where we see this vulnerability - does that mean I only need to follow direction for the telemetry portion of the fix and not the Report Server section?

    Terri

  • 0
    in reply to Terri Jackman

    Yes, Reporting server is a DP10 feature, it didn't exist in DP9.

  • 0
    in reply to Terri Jackman

    Also, if you want to remove the issue (uninstall the User Interface) this is how you do that:

    Log onto client

    Go to control panel -> programs -> Select MF Data Protector -> Change/Modify

    Go through the windows until you get to the agents

    - Deselect User Interface

    - Deselect Documentation

    Go through the windows until you get to Finish

    Wait until completed

  • 0
    in reply to Jenni_S

    Again, please pardon my ignorance or the product and thank you for your patience with that....

    Will doing this just remove the user interface portion on the servers on which I do this but still allow the backup to keep running as it is now?

    Thanks Jenni

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.