Jump to content
ON-DEMAND Webinar: The Ultimate Guide to VM Backup and Recovery ×
NAKIVO Community Forum

Log4j CVE-2021-44228


Recommended Posts

Hi, @JurajZ and @Bedders!

NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services. 

You can manually fix the CVE-2021-44228 vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar.

Note: If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, it means that the issue was already fixed for your version of NAKIVO Backup & Replication.

For Linux:

  • Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
  • To remove JndiLookup.class from the jar file run the following command:

zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

For Windows:

  • Ensure you have 7z tool installed.
  • Go to the libs folder located inside NAKIVO Backup & Replication installation folder.
  • Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class from the jar file.
  • Restart NAKIVO Backup & Replication.

For NAS devices:

If you are using a NAS, open an SSH connection to your device and locate NAKIVO Backup & Replication installation folder here:

  • For ASUSTOR NAS: /usr/local/AppCentral/NBR
  • For FreeNAS/TrueNAS (inside the jail): /usr/local/nakivo/director
  • For NETGEAR NAS: /apps/nbr
  • For QNAP NAS: /share/CACHEDEV1_DATA/.qpkg/NBR
  • For Raspberry PI: /opt/nakivo/director
  • For Synology NAS: /volume1/@appstore/NBR
  • For Western Digital NAS: /mnt/HD/HD_a2/Nas_Prog/NBR

Note: Refer to the NAS vendor documentation to learn how to open an SSH connection to your NAS device.

IMPORTANT: CVE-2021-44228 is a severe vulnerability. We strongly advise you to apply the manual fix as soon as you can. This is the best way to avoid the risks of security breaches.

Please contact customer support if you require custom build of NAKIVO Backup & Replication that has the fix.

  • Like 2
Link to comment
Share on other sites

I get the following error when I try this:

root@SynologyNAS:/volume1/@appstore/NBR/libs# zip q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
        zip warning: q.zip not found or empty
        zip warning: name not matched: org/apache/logging/log4j/core/lookup/JndiLookup.class

Should I contact Support or am I doing something wrong?

  • Like 1
Link to comment
Share on other sites

Standard install of Nakivo 10.5 on Ubuntu 20.04 server here. I had to run the command with the "-q" rather than "q" or else I had the same error as Bedders.

Seems to have done the job... I copied the file to *-original" first and can see that the jar file has now shrunk:

root@nakivovm:/opt/nakivo/director/libs# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal
root@nakivovm:/opt/nakivo/director/libs# pwd
root@nakivovm:/opt/nakivo/director/libs# ls -la | grep log4j-core*.jar
-rw-r--r--  1 root root   825339 Dec 16 18:50 log4j-core-2.2.jar                                  <<<< now smaller.
-rw-r--r--  1 root root   826732 Dec 16 18:49 log4j-core-2.2.jar-original

Am wondering if I have to do this on my Transporter virtual appliances as well?

Link to comment
Share on other sites

I'm having issues removing it on a Synology NAS on DSM7 as well. Had to remove the # after libs for it to find it. Then it gives this permissions error. I changed the permissions so the szadmin user has access to the backup folder but it didn't make a difference, even after ssh back into the nas.

szadmin@NAS02:/volume1/@appstore/NBR/libs$ zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip I/O error: Permission denied
zip error: Could not create output file (log4j-core-2.2.jar)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...