CA Release Automation - Release Operations Center (Nolio)
Issue/Introduction
During Agents Upgrade from 6.7 to 6.8, are backups of files done and stored on agent server?
If so, is the LOG4J file one of those files that are backed up?
Our Vulnerabilities scans will find OLD files and label them as a vulnerabilities.
Environment
Release : 6.8
Resolution
Some files do get backed up, yes. Minimal log4j files are backed up and/or left over after the upgrade. Here are some recommendations:
Use the older upgrade procedure.
When selecting one or more agents to upgrade (via the Nolio UI), it prompts on whether you want to use the new method (selected by default). We recommend selecting the old method.
The new agent's upgrade procedure will result in a backup of the whole agent's folder (including the unwanted log4j files).
This upgrade procedure creates a backup of the lib folder but this backup is removed or restored in the end (depending on the upgrade procedure result).
Run any process on the upgraded agents in order to synchronize actionsLib folder.
Until you run a test/real action or process on an agent, there may be older log4j.jar files left in the actionslib folder.
Running a test (or real) action or process will sync the actionslib folder on the Agent with the actionslib folder on the NES/NAC.
Old log4j jar(s) will remain ./install4j. These are not backup files.
Jars in the .install4j do not actively run. They are only active/run when install/uninstall is performed.
We do not update anything in the ./install4j. We do not certify removing this folder and removing the folder may cause problems if an uninstall needs to be performed. However, removing the folder should not impact runtime behavior.
If you do not care for any of the caveat's/warnings above, the alternative would be to uninstall the agent and then install it using the agent installer binary. There is a silent installer that you can use to install/uninstall the agent. If additional information on this topic would be helpful, please review the product documentation and/or open an issue with technical support.
Additional Information
There is no problem with an uninstall after removing the log4j-1.2.16.jar from the .install4j/user/ folder of a 6.8 agent.
There is no problem to remove patchBackup/lib/log4j-1.2.14.jar from an agent or server that is successfully running version 6.8 after an upgrade.