Article Number: 000194614
DSA-2021-290: Dell EMC vRealize Data Protection Extension for vRealize Automation 8.x Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105)
Summary: Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x short-term mitigation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell recommends implementing this short-term mitigation as soon as possible in light of the critical severity of the vulnerability. ...
Article Content
Impact
Critical
Details
| Third-party Component | CVE | More information |
| Apache Log4j | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 | Apache Log4j Remote Code Execution  |
| Third-party Component | CVE | More information |
| Apache Log4j | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 | Apache Log4j Remote Code Execution |
Affected Products and Remediation
| Product | Affected Versions | Updated Versions | Link to Update |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.6 | 19.6.1 | https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.7 | 19.7.1 | https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.8 | 19.8.1 | https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”) See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.9 | 19.9.1.1 | https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| VMware vRealize Automation 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
| VMware vRealize Orchestrator 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
| Product | Affected Versions | Updated Versions | Link to Update |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.6 | 19.6.1 | https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.7 | 19.7.1 | https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.8 | 19.8.1 | https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”) See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.9 | 19.9.1.1 | https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| VMware vRealize Automation 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
| VMware vRealize Orchestrator 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
Workarounds and Mitigations
For all vRealize Data Protection Extension for vRealize Automation (vRA) 8.x versions before and including 19.9, follow the steps below for Mitigation for vRealize Data Protection Extension for vRealize Automation(vRA) 8.x.
For all affected vRealize Data Protection Extension for vRealize Automation (vRA) 8.x, follow the steps below:
Install or upgrade to the newly released updated versions as listed in the above table containing the remediation for Apache Log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam").
See the install guide of DPE plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
Post installation or upgrade to updated Dell EMC DPE, also mandatorily apply the VMware recommended workarounds or remediations recommended by VMware in this article, as required https://kb.vmware.com/s/article/87120
If help is required with a customer-supplied vRealize Automation or vRealize Orchestrator or VMware products outside Dell EMC vRealize Data Protection Extension, reach out to VMware for assistance. For Dell EMC vRealize Data Protection Extension, reach out to Dell Support for assistance.
Note:
Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 7.x is not impacted by the CVE-2021-44228, since there is no Log4j package bundled with the DPE for VRA7.x plugins. None of the Dell EMC VRA DPE for VRA7.x plugin versions are impacted by this Log4j vulnerability as Dell EMC does not ship any Log4j with the DPE for VRA7.x plugins.
Apply the appropriate remediation version as mentioned in the above table only if using Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x.
Post installation or upgrade to updated versions of Dell EMC DPE, mandatorily apply the VMware recommended remediation available in the VMware KB article required https://kb.vmware.com/s/article/87120
Revision History
| Revision | Date | Description |
| 1.0 | 2021-12-15 | Short-term mitigation. |
| 1.1 | 2021-12-16 | Explicitly called out in summary that Dell EMC vRealize Data Protection Extension for vRA 7.x is not impacted by CVE-2021-44228 |
| 1.2 | 2021-12-17 | Included the VMware products as well in the impacted section |
| 1.3 | 2021-12-18 | Included the link for the partial remediation from Dell EMC support site |
| 1.4 | 2022-01-03 | Updated link for all the remediated versions of Dell EMC DPE plugin and updated with information about the remediation available from VMware KB perspective |
Related Information
Legal Information
Article Properties
Affected Product
vRealize Data Protection Extension for Avamar
Product
Product Security Information, vRealize Data Protection Extension for NetWorker
Last Published Date
26 Oct 2023
Article Type
Dell Security Advisory