Product Version: 10.5.1
Last Modified: 15 December 2021
Problem
Is NAKIVO Backup & Replication affected by CVE-2021-44228 vulnerability and can it be fixed?
Background
NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services. CVE-2021-44228 is a vulnerability in the Apache Log4j library, which allows remote code execution without authentication, i.e., it may be exploited over a network without the need for a username and password.
Important
- CVE-2021-44228 is a high severity vulnerability. It is highly recommended to apply the manual fix detailed below as soon as possible.
- The solutions proposed below also apply to the CVE-2021-45046 vulnerability.
Solution
You have one of the following options:
- The CVE-2021-44228 vulnerability is fixed in NAKIVO Backup & Replication v10.5.1. Download the updated version of the solution when it is released.
- Contact customer support to get custom build of NAKIVO Backup & Replication that has the fix.
- Manually apply the fix detailed below.
Manual Fix
For the older version of the product, you can manually fix the vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar.
Note
If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, then this means that the issue is already fixed for your version of NAKIVO Backup & Replication.
For Linux:
- Go to NAKIVO Backup & Replication installation folder.
In the libs folder, run the following command to remove JndiLookup.class from the jar file:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Alternatively, If you are using a NAS, open an SSH connection to your device and locate NAKIVO Backup & Replication installation folder here:
For ASUSTOR NAS:
/usr/local/AppCentral/NBR
For FreeNAS/TrueNAS (inside the jail):
/usr/local/nakivo/director
For NETGEAR NAS:
/apps/nbr
For QNAP NAS:
/share/CACHEDEV1_DATA/.qpkg/NBR
For Raspberry PI:
/opt/nakivo/director
For Synology NAS:
/volume1/@appstore/NBR
For Western Digital NAS:
/mnt/HD/HD_a2/Nas_Prog/NBR
Note
Refer to the NAS vendor documentation to learn how to open an SSH connection to your NAS device.
- Restart NAKIVO Backup & Replication.
For Windows:
- Make sure you have 7z tool installed.
- Go to NAKIVO Backup & Replication installation folder.
- Go to the libs folder
Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class located in org/apache/logging/log4j/core/lookup folder of the jar file.
- Restart NAKIVO Backup & Replication.