Jump to content
NAKIVO Community Forum

IMPORTANT: NAKIVO Security Alert - Log4j2 (CVE-2021-44228) Vulnerability

Official Moderator

In light of the recent exploitation of CVE-2021-44228 vulnerability, we want to inform you that NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services. 

You can manually fix the CVE-2021-44228 vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar.

Note: If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, it means that the issue was already fixed for your version of NAKIVO Backup & Replication.

For Linux:

  • Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
  • To remove JndiLookup.class from the jar file run the following command:

zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For Windows:

  • Ensure you have 7z tool installed.
  • Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
  • Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class from the jar file.
  • Restart NAKIVO Backup & Replication.

Important: CVE-2021-44228 is a severe vulnerability. We strongly advise you to apply the manual fix as soon as you can. This is the best way to avoid the risks of security breaches.

×
×
  • Create New...