Data Protection Advisor: Manual remediation for Log4j vulnerabilities-Windows commands only (CVE-2021-44228 and CVE-2021-45046)

These instructions require only Windows native commands, access to the server (for example, Remote Desktop), and Windows Explorer.

These instructions can be applied to any type of Windows DPA installation including the DPA Application, DPA Datastore, and Standalone DPA Agent (installed alone on a server or on another type of application server).

See the linked Dell Security Advisory for more information about the Apache Log4j vulnerabilities:

• DSA-2021-309: Dell Technologies Data Protection Advisor (DPA) Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)

For questions or assistance with these instructions, contact Dell Technical Support.

Steps for manual remediation:

Note:

• Windows Administrator privileges and access is required.
• No external utilities are required for these steps.

 

1. Stop the DPA Agent service. Do this by using the Windows Services snap-in or from the command line using the Windows PowerShell.

From the Windows PowerShell window, if this is an Agent installation on the DPA Application or DPA Datastore, the command is:

dpa agent stop

From the Windows PowerShell window, if this is a Standalone DPA Agent installation the command is:

<dpa agent install path>\dpa stop

Example:   
C:\Program Files\EMC\DPA\agent\etc\dpa stop

2. Open a Windows Explorer window. Go to the <dpa_installation_path>\agent\lib directory.

   

3. For each of the six .jar files below, make a backup copy of the .jar file. Copy and rename with _bak extension or something similar (Example is demonstrated with one of the files).

   

4. Change the .jar file extension from .jar to .zip.

     

5. For each of the six .zip files, double-click the file to descend into the .zip and directory structure (Example that is demonstrated with one of the files).

 

6. Drill down the directory structure to the following location:

   

7. Delete the JndiLookup.class file.

   

8. Navigate back to the ...\agent\lib directory. Note: The file size has changed slightly.

   

9. Rename the file extension from .zip to .jar.

     

10. After this procedure is complete for all 6 .jar files, the workaround is complete.
11. Start the DPA Agent service. Do this by using the Windows Services snap-in or from the command line using the Windows PowerShell.

From the Windows PowerShell window, if this is an Agent installation on the DPA Application or DPA Datastore, the command is:

dpa agent start

From the Windows PowerShell window, if this is a Standalone DPA Agent installation, the command is:

<dpa agent install path>\dpa start

Example:   
C:\Program Files\EMC\DPA\agent\etc\dpa start

12. If wanted, rerun a data collection Request to ensure it continues to work without issue. In the below example, we have verified with the Data Domain Analysis Request.