Log4j2 (CVE-2021-44228) Vulnerability

Product version: 10.5.1

Last modified: 15 December 2021

Problem

Is NAKIVO Backup & Replication affected by CVE-2021-44228 vulnerability and can it be fixed?

Background

NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services. CVE-2021-44228 is a vulnerability in the Apache Log4j library, which allows remote code execution without authentication, i.e., it may be exploited over a network without the need for a username and password.

Important

  • CVE-2021-44228 is a high severity vulnerability. It is highly recommended to apply the manual fix detailed below as soon as possible.

  • The solutions proposed below also apply to the CVE-2021-45046 vulnerability.

Solution

You have one of the following options:

  • The CVE-2021-44228 vulnerability is fixed in NAKIVO Backup & Replication v10.5.1. Download the updated version of the solution when it is released.

  • Contact customer support to get custom build of NAKIVO Backup & Replication that has the fix.

  • Manually apply the fix detailed below.

Manual Fix

For the older version of the product, you can manually fix the vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar.

Note

If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, then this means that the issue is already fixed for your version of NAKIVO Backup & Replication.

For Linux:

  1. Go to NAKIVO Backup & Replication installation folder. 

  2. In the libs folder, run the following command to remove JndiLookup.class from the jar file:

    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  3. Alternatively, If you are using a NAS, open an SSH connection to your device and locate NAKIVO Backup & Replication installation folder here:

    • For ASUSTOR NAS: /usr/local/AppCentral/NBR

    • For FreeNAS/TrueNAS (inside the jail): /usr/local/nakivo/director

    • For NETGEAR NAS: /apps/nbr

    • For QNAP NAS: /share/CACHEDEV1_DATA/.qpkg/NBR

    • For Raspberry PI: /opt/nakivo/director

    • For Synology NAS: /volume1/@appstore/NBR

    • For Western Digital NAS: /mnt/HD/HD_a2/Nas_Prog/NBR

    Note
    Refer to the NAS vendor documentation to learn how to open an SSH connection to your NAS device.

  4. Restart NAKIVO Backup & Replication.

For Windows:

  1. Make sure you have 7z tool installed.

  2. Go to NAKIVO Backup & Replication installation folder. 

  3. Go to the libs folder

  4. Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class  located in org/apache/logging/log4j/core/lookup folder of the jar file.

  5. Restart NAKIVO Backup & Replication.