Summary
While we determined DPX does not use a Log4j version with the log4jShell vulnerability, we have decided, out of an abundance of caution, to remove the log4j modules from the current versions of DPX, to eliminate any possible defects attributed to the affected library.
Step-by-Step
- Stop DPX services on the Master server (cmagent, nibbler, autoupdate)
- Download your respective version of BackupExpress.jar from
https://mysupport.catalogicsoftware.com/product.php/DPX471/BackupExpress.jar
https://mysupport.catalogicsoftware.com/product.php/DPX461/BackupExpress.jar
Copy and replace original BackupExpress.jar in
/opt/DPX/http/webapps/ROOT/ (Linux)
“C:\Program Files\DPX\http\webapps\ROOT” (Windows)
with the downloaded one
- Save original dpx.jnlp as a dpx.jnlp.orig, and edit dpx.jnlp
/opt/DPX/http/webapps/ROOT/dpx.jnlp file (Linux)
“C:\Program Files\DPX\http\webapps\ROOT\dpx.jnlp” (Windows)
remove reference to log4J line (see below).
Note: You should use a “notepad” on Windows master server or “vi” on Linux. Please call Catalogic Technical Support if you need help with removing reference lines
4. Rename files starting from “log4j*” in
/opt/DPX/lib (Linux)
/opt/DPX/http/webapps/ROOT/ (Linux)
C:\Program Files\DPX\lib (Windows)
C:\Program Files\DPX\http\webapps\ROOT (Windows)
5. Reboot Master Server – it will start all services shutdown earlier
6. Login to your client from which you usually run you DPX (or local on Windows master server) and do the following:- Locate and rename dpx.jnlp on this server
- Clear browser and java cache
- Run DPX UI as you usually do by putting the following URL in your browser:
edited jnlp file from master server and start the DPX UI without referencing the flawed library.
Removing log4j* from DPX clients
- You can locate and rename or remove files starting with log4j from DPX clients as well (default location is following):
C:\Program Files\DPX\lib (Windows)
- Restart the Catalogic services on the client