JurajZ Posted December 15, 2021 Share Posted December 15, 2021 Is Nakivo affected? Can we get statment? 1 Quote Link to comment Share on other sites More sharing options...
Bedders Posted December 15, 2021 Share Posted December 15, 2021 Seconded please - I recall NAKIVO uses Java in their Synology install. It would be great to get something official because if I have to update our NAKIVO version I need to start planning! Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 15, 2021 Share Posted December 15, 2021 Hi, @JurajZ and @Bedders! NAKIVO Backup & Replication is using the Apache Log4j library, which is part of Apache Logging Services. You can manually fix the CVE-2021-44228 vulnerability by removing JndiLookup.class located in libs\log4j-core-2.2.jar. Note: If the libs folder contains log4j-core-fixed-2.2.jar instead of log4j-core-2.2.jar, it means that the issue was already fixed for your version of NAKIVO Backup & Replication. For Linux: Go to the libs folder located inside NAKIVO Backup & Replication installation folder. To remove JndiLookup.class from the jar file run the following command: zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class For Windows: Ensure you have 7z tool installed. Go to the libs folder located inside NAKIVO Backup & Replication installation folder. Use 7z to open the log4j-core-2.2.jar and remove JndiLookup.class from the jar file. Restart NAKIVO Backup & Replication. For NAS devices: If you are using a NAS, open an SSH connection to your device and locate NAKIVO Backup & Replication installation folder here: For ASUSTOR NAS: /usr/local/AppCentral/NBR For FreeNAS/TrueNAS (inside the jail): /usr/local/nakivo/director For NETGEAR NAS: /apps/nbr For QNAP NAS: /share/CACHEDEV1_DATA/.qpkg/NBR For Raspberry PI: /opt/nakivo/director For Synology NAS: /volume1/@appstore/NBR For Western Digital NAS: /mnt/HD/HD_a2/Nas_Prog/NBR Note: Refer to the NAS vendor documentation to learn how to open an SSH connection to your NAS device. IMPORTANT: CVE-2021-44228 is a severe vulnerability. We strongly advise you to apply the manual fix as soon as you can. This is the best way to avoid the risks of security breaches. Please contact customer support if you require custom build of NAKIVO Backup & Replication that has the fix. 2 Quote Link to comment Share on other sites More sharing options...
Bedders Posted December 15, 2021 Share Posted December 15, 2021 I get the following error when I try this: root@SynologyNAS:/volume1/@appstore/NBR/libs# zip q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class zip warning: q.zip not found or empty zip warning: name not matched: org/apache/logging/log4j/core/lookup/JndiLookup.class Should I contact Support or am I doing something wrong? 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 15, 2021 Share Posted December 15, 2021 @Bedders, Please try replacing "q" with "-q": zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Let me know if it works for you! 2 Quote Link to comment Share on other sites More sharing options...
Gavino Posted December 16, 2021 Share Posted December 16, 2021 Standard install of Nakivo 10.5 on Ubuntu 20.04 server here. I had to run the command with the "-q" rather than "q" or else I had the same error as Bedders. Seems to have done the job... I copied the file to *-original" first and can see that the jar file has now shrunk: root@nakivovm:/opt/nakivo/director/libs# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal root@nakivovm:/opt/nakivo/director/libs# pwd /opt/nakivo/director/libs root@nakivovm:/opt/nakivo/director/libs# ls -la | grep log4j-core*.jar -rw-r--r-- 1 root root 825339 Dec 16 18:50 log4j-core-2.2.jar <<<< now smaller. -rw-r--r-- 1 root root 826732 Dec 16 18:49 log4j-core-2.2.jar-original Am wondering if I have to do this on my Transporter virtual appliances as well? Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 16, 2021 Share Posted December 16, 2021 @Gavino, The CVE-2021-44228 vulnerability only affects the NAKIVO Director. root@va:/opt/nakivo# find / -iname log4j-core-2.2.jar /opt/nakivo/director/libs/log4j-core-2.2.jar <<<<<<<<< Thus, you do not need to do it on your Transporter VA. Please let me know if you have additional questions. Quote Link to comment Share on other sites More sharing options...
Bedders Posted December 17, 2021 Share Posted December 17, 2021 Feeding back that changing q to -q worked, many thanks! It's probably worth mentioning that the email you sent round contained this error, as well as the forum post - in case you've not been inundated with support calls about it already! 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 17, 2021 Share Posted December 17, 2021 @Bedders, I'm glad it worked for you! Thank you for noticing that. It's all fixed by now Quote Link to comment Share on other sites More sharing options...
ozarktech Posted December 21, 2021 Share Posted December 21, 2021 I'm having issues removing it on a Synology NAS on DSM7 as well. Had to remove the # after libs for it to find it. Then it gives this permissions error. I changed the permissions so the szadmin user has access to the backup folder but it didn't make a difference, even after ssh back into the nas. szadmin@NAS02:/volume1/@appstore/NBR/libs$ zip -q -d log4j-core*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class zip I/O error: Permission denied zip error: Could not create output file (log4j-core-2.2.jar) szadmin@NAS02:/volume1/@appstore/NBR/libs$ Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 21, 2021 Share Posted December 21, 2021 Hi, @ozarktech! Please try to run this command: sudo zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Let me know if it helps. Quote Link to comment Share on other sites More sharing options...
ozarktech Posted December 21, 2021 Share Posted December 21, 2021 Thanks. That seems to have done the trick. 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 22, 2021 Share Posted December 22, 2021 @ozarktech, no problem Quote Link to comment Share on other sites More sharing options...
Mario Posted December 23, 2021 Share Posted December 23, 2021 https://www.nakivo.com/resources/download/update/ New release 10.5.1 is out with a fix for log4j: Fixed Apache Log4j Vulnerabilities Addressed Apache Log4j library vulnerability issues CVE-2021-44228 and CVE-2021-45046. [https://helpcenter.nakivo.com/display/RN/v10.5.1+Release+Notes] happy xmas and stay save (covid and log4j) 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted December 23, 2021 Share Posted December 23, 2021 @Mario, Thanks a lot for sharing! Happy holidays to you as well *Rudolf's emoji* Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.