Log4j Vulnerability - Please Post All Questions Here

2 years ago
13 December 2021
344 replies
19614 views

Userlevel 7

+23

Mike Struening RETIRED
Vaulter
4998 replies

Summary

The following thread describes the potential exposure to the Apache Log4j vulnerability and steps to update Commvault software.

It has been confirmed that a small subset of Commvault agents are impacted.

Update as of 1st February: Maintenance Release to bring Log4j version to 2.17.1 across Commvault software platform has been released. This release includes the upgrade of components that previously used Log4j 1.x.

Update as of 20th December: Maintenance Release including relevant hotfixes now available for Commvault software, see section “Maintenance Releases”. Please note customers who have already applied hotfixes for Log4j 2.16, do not need to install.

For customers with Commvault Hyperscale X and Distributed storage, please see section new Community article here:

Apache Log4j information

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. From log4j 2.15.0, this behavior has been disabled by default
CVE-2021-45046: Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default
CVE-2021-45105: Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data.
CVE-2021-44832: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Note: Log4j version 1.x is NOT affected.

There’s a great blog article that covers the potential impact.

Updates:

CVE-2021-45105: Commvault can confirm that the affected Log4j2 function is NOT leveraged by Commvault software and thus there is no immediate need to update Commvault to use Log4j 2.17.

CVE-2021-4104: The Commvault software does not use the JMSAppender module and, therefore, the vulnerability about log4j 1.x versions does not affect any Commvault products.

CVE-2021-44832: The Commvault software does not use the JdbcAppender module and, therefore, the vulnerability about remote code execution attack does not affect any Commvault products.

Identifying and Updating Commvault

Exposure:

Note: check FAQ at the bottom of this post for specific version questions.

The exposure impacts the below Commvault product features:

• Cloud Apps package
• Oracle agent - Database archiving, data masking, and logical dump backup
• Microsoft SQL Server agent - Database archiving, data masking, and table level restore

• Commvault Distributed Storage

• Commvault Hyperscale X

Identifying affected servers using the Commvault Log4j report

Please use the below direct link to download the Commvault Log4J Affected Servers report then follow step 4 to import and run

https://cloud.commvault.com/webconsole/softwarestore/store.do#!/135/663/21789

Alternatively, follow steps 1-3 to manually download the Commvault report:

Log into cloud.commvault.com and click the Software Store tile icon
Search the Store for Log4j and click the Download button for the “Log4J affected servers” report
Log into Command Center and navigate to Reports
At the top right of the Reports page, click Actions and Import report. Proceed to select the downloaded report file to import into Command Center.
Now you can run the report.

This report will show you any servers with Cloud Apps, SQL Server, and Oracle Database packages installed that may be affected by Log4j vulnerability.
Note: If the resulting report shows No Data to Display, then there are no affected clients in this CommCell

The easiest course of action is to upgrade all servers listed in this report (Oracle, Cloud Apps, and SQL) – that would be the recommendation. However, at a minimum, servers with Database Archiving, Data Masking, or Extent based backups (SQL table level restore) features enabled should have highest priority as the vulnerable log4j package is actively used, while otherwise the packages are dormant.

Maintenance Releases

The table below outlines the specific Maintenance Releases that will both address Log4j 2.x vulnerabilities as well as update Log4j 1.x components to 2.17.1 (the latest release of Log4j)

Note: If the previous Log4j 2.16 hotfixes has already been applied, then this latest Maintenance Release is optional

Feature Release	Maintenance Release
11.26	11.26.21
11.25	11.25.32
11.24	11.24.48
11.23	11.23.47
11.20	11.20.90
SP16	SP16.153

How to deploy Maintenance Release:

First perform a disaster recovery backup using steps HERE .
OPTIONAL: create a server group containing all the affected servers using instructions HERE. This can make it easier to select servers for the upgrade process.
Go to documentation to find the list of updates: https://documentation.commvault.com/11.24/essential/146231_security_vulnerability_and_reporting.html
Download the maintenance pack for the version the CommServe is running on.

If you do not know the CommServe version, in Command Center search for About and click the About search result to bring up the version popup.
Extract the Maintenance Pack
Follow instructions HERE to copy the software packages to the cache using Command Center.
Proceed to Install updates following instructions HERE . You can update only the affected clients to avoid the CommServe services stopping, however it is recommended to update the CommServe and all affected servers as shown on the report for completeness.
Once completed re-rerun the report to show that the servers have the appropriate fixes

Note: For instructions on how to apply Log4j 2.16 hotfixes on older Maintenance Release, please see FAQ

See Commvault Online Documentation for additional information:

https://documentation.commvault.com/11.25/essential/146231_security_vulnerability_and_reporting.html

HyperScale X and CDS (Hedvig)

For all detailed information on how to update HyperScale X and Commvault Distributed Storage (CDS) to address Log4j vulnerabilities, please see article here:

Log4j FAQ

Q:   There is a new vulnerability in 2.15 is Commvault addressing this?

A:   The LOG4J 2.15 version (GA Dec. 06, 2021) disabled the essential exploit functions by default was released last week on Dec 6, 2021. This was considered the market-acceptable, non-vulnerable upgrade package up to today. 

 The Apache organization released a new version, 2.16, on Monday, Dec.13, 2021, which physically removes the vulnerable functions.

 This evening, the security groups issued a new vulnerability CVE-2021-45046 targeting concerns with the 2.15 version and recommending the shift to 2.16.

  This significant change affects all client remediation methods, requiring an upgrade to version 2.16.  Log4j 2.16 hotfixes have now been released, please see table above

Q: When will new hotfixes be available for 2.16 log4j?

A: Log4j 2.16 hotfixes have now been released, please see table above

Q:  I've noticed older 1.x versions of log4j being used in the platform.  Are these vulnerable?

A:   We have some older instances in the installed component structure related to the older generation Log4J 1.x files which are not part of the current CVE Log4J 2.x vulnerability. We are doing further investigation on those conditions to determine a course of action. 

We do plan to remove all 1.x references in the Feb 1st maintenance release to prevent “false alarms”. That version is not vulnerable to the current respective CVEs, but it would clear up the scanning concerns.

Q:  I noticed HyperScale 1.5 is using end of life versions of Log4j.  Is this being resolved?

A:  The 1.x versions of log4j bundled with HyperScale 1.5 are maintained and supported by Redhat.  These versions are not affected by this CVE.

Q: Are older versions like v10 and v9 affected?

A: These versions are not affected

Q: Why are some updates showing skipped during Copy to Cache?

A: These are updates for Operating Systems your CommCell does not have. It’s more informational than error related.

Q: Why does the report show No Records Available or No Items to Display?

A: This means there are no affected clients in this CommCell

Q: What order should I apply the updates?

A: The Maintenance Release needs to be installed first, then the Hotfix Pack. The best option is to use Copy to Cache, followed by pushing the updates out from the GUI as per the instructions. This will ensure everything is applied as needed in the correct order.

Q: Can I remove versions manually?

A: No, removing anything manually will potentially cause features to not work properly. Use the Maintenance Releases and Hotfix packs to remediate.

Q: Is Anti-virus a concern?

A: It is possible that an AV service may lock the affected files out of concern and cause features to not work properly. Use the Maintenance Releases and Hotfix packs to remediate.

Q: How do I download Maintenance Release using CommCell Console?

A: Please follow Commvault Online Documentation steps below

https://documentation.commvault.com/11.25/expert/2705_downloading_commvault_software_using_commcell_console.html

Q: Is Metallic vulnerable to the vulnerability?

A: We have found that the Log4j vulnerability has no impact on Metallic or the security and privacy of your data backups. Metallic does not use the impacted libraries as per the Apache Log4j advisory.

We will continue to proactively monitor and provide any further updates, while customers with questions can reach out to Metallic.io/support.

Q: Log4j scanner is still picking up DbArchiveEngine.jar as potentially vulnerable?

A: Some Log4j scanners are actually incorrectly picking up DbArchiveEngine.jar as potentially vulnerable when in fact it is already patched. This is because the scanner was unable to determine the version of Log4j used and ending up marking it as “potentially vulnerable”. Please note that if you have patched Commvault clients with either the 2.16 hotfix or the latest Maintenance Release, then this DbArchiveEngine.jar binary is also patched and will not have the Log4j 0-day vulnerability.

Q: I have updated to latest Maintenance Release but Log4j Affected Servers report is still showing my clients as not fixed?

A: There has been a new Log4j Affected Servers report released on December 22nd that has updated the checks to correctly report fixed for clients on the latest Maintenance Release. This new report is version 1.1.2.3 whereas the previous report is 1.1.2.2.

Q: How do I apply the Log4j hotfixes if I am already on the older minimum required Maintenance Release?

A: Please follow below steps:

Ensure the Commserve and affected clients are on the minimum required Maintenance Release pack.
1. If not, please download and install using the CommCell Console
2. Alternatively, you may download the minimum required Maintenance Release from the links in the table below
Download the Log4J-Fix pack for your version
Unzip the contents of the download
Run Copy To Cache and point to the folder created by the unzip to add the new updates to your software cache
Push out updates to the clients
Verify client status by checking the Log4j Affected Servers report or Client Details report or viewing the client properties

Log4j 2.16 fixes (CVE-2021-44228, CVE-2021-45046)

Feature Release	Minimum Required Maintenance Release	Update Link (includes 2.16 fix)	Installed Windows Updates	Installed Unix Updates
11.26	11.26.2	11.26 Log4J-2.16 Fix	1755	1755
11.25	11.25.9	11.25 Log4J-2.16 Fix	2763 2779	2763 2779
11.24	11.24.23	11.24 Log4J-2.16 Fix	4552 4564	4551 4564
11.23	11.23.37	11.23 Log4J-2.16 Fix	4160 4178	4161 4178
11.22	11.22.50	11.22 Log4J-2.16 Fix	3911 3920	3912 3920
11.21	11.21.66	11.21 Log4J-2.16 Fix	3587 3599	3588 3599
11.20	11.20.77	11.20 Log4J-2.16 Fix	4562 4574	4561 4574
SP16	SP16.128	SP16 Log4J-2.16 Fix	2943 2946	2942 2946

https://www.linkedin.com/in/michael-struening

Like
Quote
Share

Show first post Hide first post

344 replies

Page 2 / 14

Userlevel 6

+15

I have just downloaded the latest HP29 from my Commserve, updated the SW cache, and checked its content. I can confirm what @Onno van den Berg already stated : the log4j hotfixes are included in this one.

See below the Windows sw cache references from FR24 after the refresh (dec20/1:56PM my time) :

:thumbsup: thanks !

Hi,

As per the Tenable website link below it looks like log4j version 1.x is also vulnerable

CVE-2021-4104 | Tenable

Kindly can you check and update the log4j version 1.x is vulnerable or not.

Userlevel 2

@Mohit Chordia, It would be better to maintain consistent versioning across your environment as any mis-match in versions between Commserve, Media Agents and Clients may cause inconsistencies in behaviour.

Userlevel 2

@0ber0n, open a support case for review, issue being “after install of 11.24.29 update, report shows server still not fixed”

Userlevel 5

+11

Jordan
Vaulter
134 replies
2 years ago
22 December 2021

Hi @Nishika ,

An updated version of the report has been released to address the issues with latest MR pack. Download link is the same as sticky post at top, and copied below:

https://cloud.commvault.com/webconsole/softwarestore/store.do#!/135/663/21789

Note that version is now 1.1.2.3

Thank you

Userlevel 7

+23

In what order should the hotfixes contained in the log4j_fix zip file be applied for a Windows environment? 4562 then 4563? In my certain case, its regarding version 11.20.

Thanks.

@NTCbrad , why not use Copy To Cache and push them, out that way?

Otherwise, manually install them in numerical order (though I don’t think it makes a difference).

Userlevel 6

+15

@Mohd Adnan

Quoting @Onno van den Berg :

Based on the hotfix in the MR I would say the gab between 23 / 29 is about +200 fixes and enhancements.

And I would myself recommend to upgrade to the latest hotfix pack. BUT it your concern is only the log4j vulnerability, then it’s not necessary if you pushed the hotfixes to all of your clients.

@Shane

I just deployed CVMA on a RHEL 7.9 today, but before your post.. So unfortunately I can’t tell you if it’s coming with CVMA packages or just the RHEL OS.

Anyway I checked on another server without any Commvault product on it and found no /usr/share/java folder. I also checked on the linux sources, and it looks like whether it comes with apache/tomcat, or glibc runtimes.

==> Here a feedback from Vaulters would be appreciated. (though it’s not the right moment, we all agree on this)

And as already written before by some other people, thanks to all Vaulters a professionals that work on this topic and share as much as possible to address this issue. :thumbsup:

Userlevel 5

+11

Jordan
Vaulter
134 replies
2 years ago
14 December 2021

Thanks Mike,

Can you clarify with the SQL and Oracle agents are they only vulnerable if the functions listed are used? or are all SQL / Oracle agents vulnerable.

Oracle agent - Database archiving, data masking, and logical dump backup
• Microsoft SQL Server agent - Database archiving, data masking, and table level restore

We’re trying to prioritize our response to our customers at present.

@Michael Woodward

Only when used. So priority would be those that are used, followed by unused.

Userlevel 1

The commvault report and sql query are not validated security tools. They just report that the update(s) installed on the client.

We get daily nessus reports of the CV infrastructure having a level 10 severity and have to explain to our customers that according to CV it is resolved.

CV will not get very far in saying that the platform is not affected unless the security vendors scan and show no vulnerabilities can be located.

Userlevel 2

New vulnerability has been released today. 2.17 is now vulnerable.

https://logging.apache.org/log4j/2.x/security.html

@nizmoz - Thank you for the detail. I’ve been advised we are aware and looking into this and will be going to 2.17.1. I’ve requested more detail from our teams and will update this thread when we are able.

Userlevel 6

+18

CVE-2021-44832: The Commvault software does not use the JdbcAppender module and, therefore, the vulnerability about remote code execution attack does not affect any Commvault products.

Not sure how much I trust that, because our tenable scanner saw it was vulnerable on 1.2, above and they said it wasn’t and now they are working on fixing that issue.

I assume Tenable is simply scanning for the existence of the Log4J packages and not digging into the binaries of applications to determine if they’re using the exploited functions.

Thanks,
Scott

Userlevel 7

+15

Hi @0ber0n

Yes, these hotfixes provided out of band now will be included in the next Maintenance Release, scheduled for release early in January.

Thanks,

Stuart

Hi all,

A customer has raised a concern with us regarding the eariler versions of Log4j2 They have run the scanner which shows another instance in the following path:

* \Program Files\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper lib\log4/-1.2.16.jar

Also they refer to the UK governments National Cyber Security Centres alert which says the earlier versions should not be used.

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

“Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j 2.”

Does Commvault have a resoponse to this I can pass on to my customer?

Userlevel 4

+13

Thanks so much Mike.
Just a question as the 3 servers that were flagged are still showing as being an issue. SP11_25_14 has been installed last night.

Hi Mauro, can you confirm you are using the latest version of the Log4J Affected Servers report (1.1.2.3)? If not, please download and try the latest version to see if it gives different results.

Thank you so much! The new report solved the issue.

Userlevel 7

+23

Hi @MathBob , @Rana , @C.Sudy , @Oriium

Edited: We have some older instances in the installed component structure related to the older generation Log4J 1.x files which are not part of the current CVE Log4J 2.x vulnerability. We are doing further investigation on those conditions to determine a course of action.

Once I have more information on that discussion, I’ll reply here.

Userlevel 7

+23

@Dave S All of these are covered by the hotfix:

I’ll look into your CVE.

Userlevel 3

I would like to make you all aware of a new KB article that addresses the potential presence of Log4j v1 files in Microsoft SQL Server 2019 that is deployed in new CV installs (or if you have upgraded the MS SQL to 2019). The article can be found here: Log4j Files in Microsoft SQL Server 2019 Installations. These files are not used by CV software so do not represent an active vulnerability, but if you are using file scanning to detect Log4j they may generate alerts.

I am also having the same problem which @Ziggy_81 reported with MR24.38, raised case with support.

Userlevel 7

+15

I do see Commvault has updated Security Vulnerability and Reporting (commvault.com) to include a new Log4J-2.16 Fix. Are there any instructions on if you have the previous Log4J Fix already installed? I.E. Can you just add the new one to the cache and install over the old one? Or do you have to somehow remove the old first?

Hi @Dave S

Yes, you can import the new fixes and deploy these over the top of the previous ones - no need for uninstall.

Likewise if you have any clients that didn’t get the previous hotfixes, you can jump straight to the latest ones.

Thanks,

Stuart

Userlevel 4

+13

I downloaded the report showing what servers may be effected by Log4j, but the result isn’t what I expected.

Is there no result in the report immediately once installed to the webconsole?

//Henke

The report is specific to cloud apps, oracle, and sql where archiving, masking, and table level restore is enabled - since this combo is highest risk.

Simplest approach is to just update all those apps anyway regardless, but the report will help you target into the affected servers.

Webconsole is not affected by this vulnerability so it wont be on the report.

Ahh that explains. I was confused as I didn’t see any of the servers with SQL agent installed in there, but we don’t have that enabled.

Thanks for the answer.

//Henke

Very useful article guys. Loved the clarity. There is a lot of confusion out in the field and a lot of security groups are in panic mode getting fixes implemented. The Vulnerability Report was a godsend. Well done. AMJ

Userlevel 5

+11

Jordan
Vaulter
134 replies
2 years ago
17 December 2021

Hi @BHorner , @m.rieder ,

This path here is where CV stores the older binaries that are replaced by a hotfix. Please ignore these are these files are essentially dormant and will be deleted during the next full MR pack install. It is only showing up because loose hotfixes automatically copy/save the old replaced filers “just in case”.

These files should be of no concern as no process / code will call upon this to be actively run.

Thank you

Userlevel 6

+15

hi @mciobanu

For the moment, you need to apply the fix even if you update from MR23 to MR25, as it’s not included in it.

Userlevel 7

+15

Hi @zahni

You can register for Commvault Cloud access here:

https://cloud.commvault.com/commcellregistration/commcellregistration-form.jsp

This will enable to view lots of resources, including the Log4J fixes.

Thanks,

Stuart

hello,

is there a easy manual way to determine if a machine has the vulnerability? The report that CV published in the store only shows two machines in my environment that need the hotfix. We have other machines that have sql and oracle and I want to be sure everything that needs the patch gets it.

Thank you

OK, I found nothing:

( the 2 unkown jar are also from 1.x)

Nessus detected 15 installs of Apache Log4j:  Path    : D:\Commvault\ContentStore\Base\WebApp\shared\tomcat-extras\log4j-1.2.17.jar  Version : 1.2.17  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib\log4j-1.2.16.jar  Version : 1.2.16  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\CVAnalytics\DataCube\app\webapps\server\WEB-INF\lib\log4j.jar  Version : unknown  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\log4j-1.2.16.jar  Version : 1.2.16  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Base\WebApp\shared\apache-ant-1.9.4\lib\log4j-1.2.14.jar  Version : 1.2.14  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\CVAnalytics\CVSeaHome\app\webapps\server\WEB-INF\lib\log4j-1.2.16.jar  Version : 1.2.16  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Base\DBMinerTool\log4j.jar  Version : unknown  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\CVCIEngine\CvPreviewHome\app\webapps\server\WEB-INF\lib\log4j.jar  Version : unknown  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Base\WebApp\shared\apache-ant-1.8.4\lib\log4j-1.2.14.jar  Version : 1.2.14  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\CVAnalytics\CVSeaHome\app\webapps\server\WEB-INF\lib\log4j-1.2.17.jar  Version : 1.2.17  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Apache\lib\log4j-1.2.16.jar  Version : 1.2.16  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\CVCIEngine\CvPreviewHome\webapps\CvContentPreviewGenApp\WEB-INF\lib\log4j-1.2.17.jar  Version : 1.2.17  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Base\WebApp\shared\apache-ant-1.8.1\lib\log4j-1.2.14.jar  Version : 1.2.14  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\MessageQueue\lib\optional\log4j-1.2.17.jar  Version : 1.2.17  Method  : JAR filesystem search  Path    : D:\Commvault\ContentStore\Base\WebApp\shared\log4j-1.2.15.jar  Version : 1.2.15  Method  : JAR filesystem search

Page 2 / 14

Summary

Apache Log4j information

Identifying and Updating Commvault

Exposure:

Identifying affected servers using the Commvault Log4j report

Maintenance Releases

How to deploy Maintenance Release:

HyperScale X and CDS (Hedvig)

Log4j FAQ

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded