Hi, @JurajZ and @Bedders!
NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services.
You can manually fix the CVE-2021-44228 vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar.
Note: If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, it means that the issue was already fixed for your version of NAKIVO Backup & Replication.
For Linux:
Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
To remove JndiLookup.class from the jar file run the following command:
zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For Windows:
Ensure you have 7z tool installed.
Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class from the jar file.
Restart NAKIVO Backup & Replication.
For NAS devices:
If you are using a NAS, open an SSH connection to your device and locate NAKIVO Backup & Replication installation folder here:
For ASUSTOR NAS: /usr/local/AppCentral/NBR
For FreeNAS/TrueNAS (inside the jail): /usr/local/nakivo/director
For NETGEAR NAS: /apps/nbr
For QNAP NAS: /share/CACHEDEV1_DATA/.qpkg/NBR
For Raspberry PI: /opt/nakivo/director
For Synology NAS: /volume1/@appstore/NBR
For Western Digital NAS: /mnt/HD/HD_a2/Nas_Prog/NBR
Note: Refer to the NAS vendor documentation to learn how to open an SSH connection to your NAS device.
IMPORTANT: CVE-2021-44228 is a severe vulnerability. We strongly advise you to apply the manual fix as soon as you can. This is the best way to avoid the risks of security breaches.
Please contact customer support if you require custom build of NAKIVO Backup & Replication that has the fix.