This CVE-2021-44228 Apache Log4j Vulnerability has had a lot of people scrambling in the last month or so. For users of NetApp Products, their official page is here:
https://security.netapp.com/advisory/ntap-20211210-0007/
And we're going to focus on NetApp OnCommand Insight and NetApp Cloud Insights.
OnCommand Insight (OCI)
OCI is fixed in version 7.3.13:
If you cannot get to OCI 7.3.13 (maybe it is a major project to upgrade your OCI in your Enterprise) then you can still remediate OCI. See -
OnCommand Insight - CVE-2021-44228 Apache Log4j Vulnerability - Workaround - NetApp Knowledge Base
Note: The log4j remediation process action plan does not remove the log4j-core*.jar or log4j-api.jar files. The remediation workaround process edits the log4j files required by the application and removes the vulnerable class. Security scanners that only look for the version of files will still trigger on these files.
Cloud Insights (CI)
The Cloud Insights Acquisition Unit was automatically upgraded to Log4j 2.16 on 20211216. See:
- Windows:
- https://kb.netapp.com/Advice_and_Troubleshooting/Cloud_Services/Cloud_Insights/How_to_verify_the_Apache_Log4j_version_for_Cloud_Insights_Acquisition_Unit_%28CI_AU%29_for_Windows%3F
- The versions of log4j jars in - (install_path)\Cloud Insights\Acquisition Unit\acq\lib - should be 2.16.0 or higher.
- Linux:
- https://kb.netapp.com/Advice_and_Troubleshooting/Cloud_Services/Cloud_Insights/How_to_verify_the_Apache_Log4j_version_for_Cloud_Insights_Acquisition_Unit_%28CI_AU%29_for_Linux%3F
- Running -
- find /opt/netapp/cloudinsights/acq/lib | grep log4j-core | uniq
- find /opt/netapp/cloudinsights/acq/lib | grep log4j-api | uniq
- - should reveal version 2.16.0 or higher. If not:
- # systemctl restart acquisition
- NOTE: Some older CI AU build directories may still show the older log4j-core-2.14.1.jar files and they could be manually removed.
Comments
Post a Comment