Dell Storage Manager Client / log4j update

Hello Stephan The Valley,

Dell is aware of the Apache Log4j Remote Code Execution vulnerability (CVE-2021-44228). Protecting our customers is our top priority, and we are assessing the impact to the security of our products.

For the most up to date details on the vulnerability response from Dell, please visit this landing page KB article: https://www.dell.com/support/kbdoc/en-us/000194372/dsn-2021-007-dell-response-to-apache-log4j-remote-code-execution-vulnerability. From this main page you can access links to the latest mitigations and security updates, as well as lists showing what product lines are/are not impacted, and the recommended security best practices.

For a full list of Dell products, their impact and remediations, please review the Apache Log4j Knowledge Base Article (https://www.dell.com/support/kbdoc/000194414). We will continuously update this document with the latest information.

Any news ? 

Because there is no remediation / mitigation / patch is pending ...

But the vulnerability is still here...

Hello clementBer,

All mitigations and security updates are posted at https://dell.to/3H2R3in, You can also subscribe to the Security Alerts and receive the latest updates.

Please ask me if you have any questions.

Maria Januszka

Social Media and Communities Professional

Dell Technologies| Enterprise Support Services

#Iwork4Dell

Did I answer your query? Please click on ‘Accept as Solution’

‘Kudo’ the posts you like!

Hi Maria Januszka,

as i said there is no remediation / mitigation / patch is pending for Dell Storage Manager, 

Can you provide any usefull information ? Because we are vulnerable thanks to the Storage Manager, which serves to replication between our Compellent storage.

Hello clementBer,

I see current status: Patch pending  for Storage Center - Dell Storage Manager.

I can recommend Monitor this page (https://www.dell.com/support/kbdoc/000194414) and sign up for updates here (https://www.dell.com/support/security/en-us)

We are actively addressing this issue. Dell is aware of the Apache Log4j Remote Code Execution vulnerability CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). Protecting our customers is our top priority, and we are assessing the impact to the security of our products.

We will post any mitigations and security updates at  https://www.dell.com/support/security, where you can also subscribe to the Security Alerts. A list of Dell products that are impacted, not impacted, or under review can be found at the following knowledge base link:  Apache Log4j Knowledge Base Article (https://www.dell.com/support/kbdoc/000194414)

Hi Moderator. Is Dell using a different name for the Dell EMC Storage Client on the page you referenced? I have searched through https://www.dell.com/support/kbdoc/000194414 and I can't find any mention of the product being asked about.

@clementBer 

Oh... my understanding was that DSM referrers to the DSM Client because our file scan showing a log4j-2.x a week ago. Its a client app and we temporarily removed it from our admin consoles and leave only one left in a secured backend.
Because you speak about "replication" and thats what the DataCollector is needed for. The DC Appliance cant easily scanned because of a challenge Response code needed to get root access. For sure you can mount the vDisk in a nother Linux VM.

Can Dell please says which product is effected? I expect both because because Compellent use Java or ages. To make it more confusing is that Data Collector is also available as a Windows App.

Regards,
Joerg

For sure they are completely different things. But since the Enterprise Manager was renamed to Dell Storage Manager the package contains different things like DataCollector or Client.  DataCollector and SCOS offering also a WebGUI names Unisphere so when uninstalling the DSM Client isnt a big deal and you will survive the next weeks until a new version comes around.
Because of ongoing flaws in log4j 2.0.15, 16 they released 17 a couple of days ago. All Vendors which patched their products already have to do it again.

This page seems to indicate they are the same thing:

https://dell.to/3pk0xj6

I'll have to put in a request to the Storage group to verify.

I spoke with a storage engineer and was advised, Dell Storage Manager contains 2 different things. The Data Collector and the Client (DSM/Unisphere). They will both be updated together.  Based on the link it looks like it will be in January:  Patch expected 1/10/22

https://www.dell.com/support/kbdoc/000194414

Have you received any updates on this?

Its re-scheduled every day for 2 more days 

The mitigation shows clearly thats Datacollector (Windows and the Appliance) is the problem together with the Client.

Ok... downloads are now available.

Upgrade my existing VA 19.1.20 to the 20.1.2.14 failed. The WebGUI never comes back and also after a restart its not accessible anymore. Revert the snapshot and DSM is working again... trying 2nd. time also fails.

Upgraded my 19.1.20.30 with DSM-VA-20.1.1.716 first and than jump successfully to 20.1.2.14.

Regards,
Joerg

Same problem here. I've waited about 1/2 hour for the UI to come up. I guess it's not. Will try your multiple step suggestion.