Critical
Third-party Component | CVEs | More information |
Apache Log4j | CVE-2021-44228 | Apache Log4j Remote Code Execution |
CVE-2021-45046 | ||
CVE-2021-45105 | ||
CVE-2021-44832 |
Third-party Component | CVEs | More information |
Apache Log4j | CVE-2021-44228 | Apache Log4j Remote Code Execution |
CVE-2021-45046 | ||
CVE-2021-45105 | ||
CVE-2021-44832 |
CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
CVE-2021-44228 CVE-2021-45046 |
Dell EMC Cloud Disaster Recovery |
19.6.x 19.7.x 19.8.x 19.9.x |
19.6.0.3 19.7.0.3 19.8.0.7 19.9.0.4 |
https://www.dell.com/support/home/en-in/product-support/product/data-domain-cloud-dr-for-avamar/drivers |
CVE-2021-45105 CVE-2021-44832 |
19.6.x 19.7.x 19.8.x 19.9.x |
19.8.0.7 19.9.0.4 |
CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
CVE-2021-44228 CVE-2021-45046 |
Dell EMC Cloud Disaster Recovery |
19.6.x 19.7.x 19.8.x 19.9.x |
19.6.0.3 19.7.0.3 19.8.0.7 19.9.0.4 |
https://www.dell.com/support/home/en-in/product-support/product/data-domain-cloud-dr-for-avamar/drivers |
CVE-2021-45105 CVE-2021-44832 |
19.6.x 19.7.x 19.8.x 19.9.x |
19.8.0.7 19.9.0.4 |
Workarounds and Mitigations provided below are applicable only for versions 19.6.0.3 and 19.7.0.3.
For CDRA - On premise virtual machine:
SSH to CDRA VM using cdr user.
dos2unix /tmp/cdra_log4jfix.sh
chmod +x /tmp/cdra_log4jfix.sh
sudo /tmp/cdra_log4jfix.sh
For CDRS Deployed on cloud (AWS, AZURE, AWS GOV, or AZURE GOV)
Log in to the CDRS VM over SSH. For assistance in accessing CDRS over SSH, contact Dell Support.
#! /bin/sh
cdr_backup()
{
mkdir -p /tmp/cdr_backup
cp /home/cdr/executable /tmp/cdr_backup/executable.bak
cp /home/cdr/resources/restore_service.tar.gz /tmp/cdr_backup/restore_service.tar.gz.bak
cp /home/cdr/lib/cdrs_main.jar /tmp/cdr_backup/cdrs_main.jar.bak
}
update_executable()
{
echo "Updating CDRS executable."
sed -i 's/=CDRS/=CDRS -Dlog4j2.formatMsgNoLookups=true/g' /home/cdr/executable
}
update_restore_service()
{
L_CDR_VER=$1
echo "Updating restore_service.jar."
BASE_PATH=/home/cdr/resources
cd $BASE_PATH
gunzip restore_service.tar.gz
tar -xvf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
if [[ ${L_CDR_VER} =~ 19\.[6-9] ]]; then
zip -q -d lib_${L_CDR_VER}/restore_service.jar shadow/org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
zip -q -d lib_${L_CDR_VER}/restore_service.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
tar --delete -f restore_service.tar lib_${L_CDR_VER}/restore_service.jar
tar -uf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
rm -rf lib_${L_CDR_VER}
gzip restore_service.tar
}
update_cdrs_main()
{
echo "Updating cdrs_main.jar."
LOG4J_JAR_FILE_LOCATION=BOOT-INF/lib/log4j-core-2.13.2.jar
echo "Stopping CDR service."
sudo service cdrd stop
cd /home/cdr/lib/
mkdir -p BOOT-INF/lib
unzip -p cdrs_main.jar $LOG4J_JAR_FILE_LOCATION > $LOG4J_JAR_FILE_LOCATION
zip -q -d $LOG4J_JAR_FILE_LOCATION org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -u -0 -n *.jar cdrs_main.jar $LOG4J_JAR_FILE_LOCATION
rm -rf BOOT-INF
echo "Starting CDR service. This may take a few minutes."
sudo service cdrd start
for i in {1..10}
do
sleep 30
echo "Checking CDR service status..."
RESP_CODE=$(curl -kfsL -o /dev/null -w '%{http_code}' -X GET https://localhost/rest/cdr-version -H "accept: application/json")
if [[ "$RESP_CODE" == 200 ]]; then
echo "CDR service started successfully."
return 0
fi
done
echo "Failed to run CDR service. Please contact Dell Support."
exit 1
}
main()
{
cdr_backup
CDR_VER=$(curl -s -X GET https://localhost/rest/cdr-version -H "accept: application/json" -k)
echo "CDR version is : $CDR_VER"
if [[ $CDR_VER =~ 19\.[6-9] ]]; then
update_executable
update_restore_service $CDR_VER
update_cdrs_main
elif ([[ $CDR_VER =~ 19\.[2-5] ]] || [[ $CDR_VER =~ 19\.1\.[0-9] ]]); then
update_restore_service $CDR_VER
else
echo "This script is applicable only for CDR versions between 19.1 and 19.9."
exit 1
fi
rm -rf /tmp/cdr_backup
}
main
Run the following commands:
Revision | Date | Description |
1.0 | 2021-12-20 | Initial Release. |
2.0 | 2021-12-22 | Updated workaround |
3.0 | 2021-01-10 | Added CVE-2021-45105 |
4.0 | 2022-02-08 | Added CVE-2021-44832 |