In light of the recent exploitation of CVE-2021-44228 vulnerability, we want to inform you that NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services.
You can manually fix the CVE-2021-44228 vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar.
Note: If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, it means that the issue was already fixed for your version of NAKIVO Backup & Replication.
For Linux:
- Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
- To remove JndiLookup.class from the jar file run the following command:
zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For Windows:
- Ensure you have 7z tool installed.
- Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
- Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class from the jar file.
- Restart NAKIVO Backup & Replication.
Important: CVE-2021-44228 is a severe vulnerability. We strongly advise you to apply the manual fix as soon as you can. This is the best way to avoid the risks of security breaches.