Tag: log4j

Categories
Knowledge Support Support Categories exacqVision Hardware

Removing MegaRAID Storage Manager(MSM)

Description

MegaRAID Storage Manager (MSM) has been found to have some exposure to CVE-2021-44228, the Apache Log4j remote code execution vulnerability, see statement from Broadcom Log4j2 Exposure (CVE-2021-44228).   It is possible that MSM was installed on your exacqVision NVR even though a RAID controller card is not present. If that is the case MSM can be uninstalled using the following instructions.

NOTE: If the NVR has a RAID controller card please see one of our Replacing MegaRAID Storage Manager (MSM) Knowledge Base Articles for other options.

Products

  • Windows 10 (x64)
  • Windows Server 2016 (x64)
  • Windows Server 2019 (x64
  • Ubuntu 16.04 LTS and Earlier
  • Ubuntu 18.04 LTS
  • Ubunutu 20.04 LTS

Uninstalling MSM on Windows

  • Press the Windows key on keyboard to open the Start menu
  • Locate and select MegaRAID Storage Manager
  • Expand and select Uninstall
  • Confirm that you want to remove MegaRAID Storage Manager
  • Right click on MegaRAID Manager icon on desktop and click “Delete”

Uninstalling MSM on Linux

  • Double-click the Terminal icon on the desktop
  • Elevate to root using sudo -i 
  • Remove the MSM package using dpkg -r 
  • Ensure that the dpkg command completes with no errors.
  • Close the Terminal window
Example of removing MSM on Linux

Categories
Knowledge Support Support Categories exacqVision Hardware Uncategorized

Replacing MegaRAID Storage Manager (MSM) With LSI Storage Authority (LSA) – Linux

Title

Replacing MegaRAID Storage Manager (MSM) With LSI Storage Authority (LSA) – Linux

Description

MSM has been found to have some exposure to CVE-2021-44228, the Apache Log4j remote code execution vulnerability, see statement from Broadcom Log4j2 Exposure (CVE-2021-44228).   As a result you may be able to replace MSM with LSA on a Windows machine using the following instructions.

Product

  • MegaRAID 92xx Series RAID Controllers
  • MegaRAID 93xx Series RAID Controllers
  • Ubuntu 16.04 LTS and Earlier
  • Ubuntu 18.04 LTS
  • Ubunutu 20.04 LTS

Prerequisites 

First determine which version of Ubuntu the NVR is currently running using Knowledge Base Article #9996 “How to Identify the Current Linux OS Version”

Next identify the RAID controller model using Knowledge Base Article #7244 “How to Identify the MegaRAID Controller Model on an exacqVision Server”

Ubuntu 16.04 LTS or earlier Operating Systems

Broadcom has not provided an LSA version for 16.04 LTS or older versions of Ubuntu.

  • If possible, Re-image using Ubuntu 18.04 or 20.04 LTS
  • See exacqVision Field Recovery Instructions to see if your system meets the criteria for an update. 
  • If re-image is not possible then use the first option listed in the 92xx series RAID Controllers section below. 

92xx series RAID Controllers

Machines with 92xx series RAID controllers have the following options.

  • Uninstall MSM
    • Manage the array using the BIOS available on boot
    • Manage the array using storcli
  • Update MSM
    • Software, instructions, and support for your particular controller card are provided by the card Manufacturer, Broadcom
    • Information is available at https://www.broadcom.com/support/download-search (Legacy Products > Legacy RAID Controllers)

93xx series RAID Controllers

For Machines with 93xx series RAID controllers MSM can be  replaced with LSA using the following instructions.

Objectives

  • Uninstall MSM
  • Install LSA
  • Update Desktop Icon
  • Configure/ Restart LSA
  • Verify LSA can be accessed and login is working
  • Verify Storage information in exacqVision client is correct and video is being recorded

Uninstalling MSM

  • Double-click the Terminal icon on the desktop
  • Elevate to root using sudo -i 
  • Remove the MSM package using dpkg -r 
  • Ensure that the dpkg command completes with no errors.
  • Close the Terminal window
Example removing MSM


Install LSI Storage Authority (LSA)

  • Download and save LSA from https://docs.broadcom.com/docs/007.020.014.000_LSA_Linux-x64.zip
  • The LSI website will require reading a download agreement, (scrolling down to the bottom of the agreement), clicking an acknowledgement checkbox, then clicking the “I Agree” button
  • Once downloaded,  close Firefox
  • On the desktop double-click the Computer icon.
  • Select Downloads, locate and right-click on the LSA zip file and select extract here
  • Right-click the newly created x64 folder and select Open as Administrator
  • A caution window may appear, click OK to continue
  • Enter the Administrator Password and click Authenticate
  • Click File menu and Select Open in Terminal
  • In the terminal window type ./install_deb.sh and press Enter
  • The License agreement (EULA) will be displayed
  • Type Y to accept the License Agreement then press Enter
  • Type 1 to choose “Since last shutdown” and press Enter
  • Type to choose “Standalone” and press Enter
  • Type 2463 for Web Server port and press Enter
  • Type 9000 for LSA Port and press Enter
  • Type Y and press Enter to install openslp
  • When you see “LSA installation successful” the install is complete
  • Close the Terminal window

Edit the Desktop Icon 

  • Right-click on the MSM desktop icon and select properties 
  • Change these fields to the following:
    • Name: LSA
    • Command: /opt/lsi/LSIStorageAuthority/startupLSAUI.sh
    • Comment: LSI Storage Authority
  • Click Close

Modify LSA.conf 

  • Double-click the Computer icon on the desktop to open a new file explorer.
  • Select File System
  • Navigate to /opt/lsi/LSIStorageAuthority/conf
  • Click the File menu and select Open as Administrator
  • Enter the Administrator Password and click Authenticate
  • In the explorer windows labeled conf (as superuser)  double-click on LSA.conf to open it for editing
  • Line 189 should read “full_access_groups = root”
  • Append “, adm” to this line so it now reads “full_access_groups = root, adm”
  • Click Save and close the file

Restart LSA Service

  • Double-click the Terminal icon on the desktop
  • Type sudo service LsiSASH restart
  • Wait for the command to complete, it will take 20-30 seconds
  • Close the Terminal Window 
Example restarting LSA Service

Verify desktop icon

  • Double-click the LSA desktop icon to launch LSA in the browser
  • Log in to LSA using Administrator credentials.

Verify Storage

  • Open the exacqVision Client 
  • Navigate to the Hardware tab on the Storage page (Configuration > YOURSERVER > Storage > Hardware tab)
  • Select Tree and verify the RAID Controller, the Unit (Virtual Drive) and the Ports (Physical Drives) are present. 
  • If possible verify video is being recorded and can be played back by searching to using exacqReplay
Categories
Knowledge Support Support exacqVision Enterprise

Updating Apache and Apache Solr on exacqVision Enterprise Manager – Windows

To mitigate currently known vulnerabilities, the following updates are recommended. Apache to 2.4.51, Apache Solr to 7.5.0 and exacqVision Enterprise Manager (EM) to 21.12.1 or higher.

Note: Updates for both Apache and Apache Solr are available as part of the EM install package for version 21.09 and higher.  However, updating to EM versions 21.12 or higher is recommended as this will also address the Log4j vulnerability.

WARNING:  You must update EM manually i.e. download from our site and then launch the installer directly.  The optional updates will not be prompted for if any other update method is used. Once the updates are in place future updates can be launched from the dashboard.

ALERT:  If previous modifications have been made to the default configuration settings such as adding a certificate and key for SSL they will need to be reapplied. See Recover custom settings section below.

Determine the current version of Apache

  • Open and administrative Command Prompt
  • Navigate to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
  • Run the command httpd.exe -v
  • Make note of the Server Version

Determine the current version of Apache Solr

Determine the current version of exacqVision Enterprise Manager

  • From the EM dashboard
  • Click the Information icon in the upper right-hand corner
  • Select About
  • Make note of the Version

Install exacqVision Enterprise Manager

  • Download the 64-bit Enterprise Manager installer for Windows from our site at  https://exacq.com/support/downloads.phpNote: 32-bit updates are not supported.
  • Launch the installer
  • During the install you will be prompted to update Apache Solr 7.5.0 and/or Apache 2.4.51 it is recommended that you check both.
  • A backup folder is created for folders being replaced by each update.
  • By default, the newly created backup folders will be located at:
    C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old
    C:\Program Files\exacqVision\EnterpriseManager\apache2.old
  • Using the instructions provided earlier verify the versions of Apache, Apache-Solr and Enterprise Manager have changed to confirm the updates.

Note:  Resource utilization may be high for a period of time after the update as reindexing is performed.

Recover custom settings (Optional)

As previously mentioned, the updates will overwrite any previous configuration changes. However, those settings were backed up as part of the update. By default, they are located at C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old

  • Copy the file httpd-ssl.conf
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\extra\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
  • Copy httpd.conf
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Copy server.crt
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Copy server.key
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Restart the solrApache Service

RESTORE (SPECIAL CASE)

When restoring EM to a previous version that used Apache Solr 6.6.0 or earlier it is necessary to manually restore an Apache Solr backup containing the targeted version of Apache Solr for that install.  Note: If a backup does not exist a restore cannot be performed.  

  • To perform a restore first determine the version of the apache_solr backup which is appropriate.
  • Stop all exacqVision Enterprise Manager service including solrApache and solrJetty.
  • Copy the existing C:\Program Files\exacqVision\EnterpriseManager\apache_solr  folder to a safe location renaming it as appropriate
  • Replace with the apache_solr backup folder
  • Start all exacqVision Enterprise Manager service including solrApache and solrJetty.

Notes

The presence of Log4j files in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache-solr\server\resources does not mean there is a vulnerability ensure the version of apache is either 2.4.51 or 7.5.0.

Related Trac Tickets