メイン コンテンツに進む
  • すばやく簡単にご注文が可能
  • 注文内容の表示、配送状況をトラック
  • 会員限定の特典や割引のご利用
  • 製品リストの作成とアクセスが可能

Additional Information for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) (CVE-2021-45046)

概要: This document provides frequently asked questions in support of DSN-2021-007.

この記事は次に適用されます: この記事は次には適用されません: この記事は、特定の製品に関連付けられていません。 すべての製品パージョンがこの記事に記載されているわけではありません。

セキュリティ文書の種類

Security KB

問題の概要

Dell Technologies released the security notice “DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability” in response to the critical vulnerabilities CVE-2021-44228 and CVE-2021-45046 in the open source Apache Log4j library. The initial vulnerability (CVE-2021-44228) affects Log4j 2.x versions 2.14.0 and earlier. The second vulnerability (CVE-2021-45046) affects Log4j 2.x versions 2.15.0 and earlier, excluding 2.12.2. Note that Log4j 1.x is not affected by either of these vulnerabilities.

These are critical vulnerabilities that need your immediate attention, as the Apache Log4j component is widely used across many vendors and software packages.

We are working hard to keep you continuously updated as the situation develops.

For a full list of Dell products, their impact and remediations, see the Apache Log4j Knowledge Base Article.

We will communicate mitigations and security updates as they become available via Dell Security Advisories posted on the Security Advisories and Notices page. We will keep a running list of relevant Dell Security Advisories in the full list of impacted Dell products: Apache Log4j Knowledge Base Article. You can subscribe to our Security Alerts to be notified when new Security Advisories are posted by following the guidance here, or by following the directions in the Security Alerts section on the Security Advisories and Notices page.

Continue to monitor the Dell Security Notice (DSN-2021-007) and Apache Log4j Knowledge Base Article for Log4j updates.

We will continue to update this page periodically with the latest information.

詳細

See the following Dell Security Notice DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability

推奨事項

Frequently Asked Questions:   


What vulnerabilities currently impact Apache Log4j? 

Dell is tracking multiple vulnerabilities in the Apache Log4j libraries:
  

CVE ID  CVSS Score  Affected Apache Log4j Versions   Impact  Remediated Apache Log4j version  Summary 
CVE-2021-44228  Critical (10.0)  All versions from 2.0 to 2.14.1  Remote Code Execution (RCE)  Upgrade to 2.15 or later An easily exploitable remote code execution issue across all configurations. Known to be actively exploited. 
CVE-2021-45046  Critical (9.0)  All versions from 2.0 to 2.15, excluding 2.12.2+  Remote (and Local) Code Execution (RCE), Information Leakage  Upgrade to 2.16 or later Challenging to exploit, remote code execution issue only present on non-default configurations. At this time, we are not aware of any evidence of exploitation. 
CVE-2021-45105  High (7.5)  All versions from 2.0 to 2.16  Denial of Service (DOS)  Upgrade to 2.17 or later Challenging to exploit. Can crash the java process on non-default configurations. At this time, we are not aware of any evidence of exploitation. 
CVE-2021-44832 Medium (6.6) All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 Remote Code Execution (RCE) Upgrade to 2.17.1 or later Challenging to exploit. Requires use of JDBC Appender and attacker control of Log4j configuration.
At this time, we are not aware of any evidence of exploitation.

 

What is Dell’s focus right now regarding Log4j? 

At this time, we’re focused on issuing workarounds and security updates that best protect our customers against the active exploitation of CVE-2021-44228. The majority of our affected products are moving or have moved to Log4j 2.16 which protects against both CVE-2021-44228 and CVE-2021-45046. There is a smaller subset that moved to Log4j 2.15, which we are quickly working to move to Log4j 2.16. 

  

Why has Dell accelerated the remedy timeline for CVE-2021-45046? 

CVE-2021-45046 started as a low-severity issue but was escalated to critical severity on Dec. 16 with the discovery of bypasses to protections in Log4j 2.15. Dell security experts believe that researchers and attackers could continue to push the boundaries of this issue and uncover new attack vectors. For that reason, we believe it is in our customers’ best interest to move to Log4j 2.16 as it disables the vulnerable functionality by default. 

 

Why is Dell not accelerating timelines for CVE-2021-45105 or CVE-2021-44832? 

At this time, we are not aware of attackers exploiting CVE-2021-45105 or CVE-2021-44832. Log4j 2.16 has also added a number of defense-in-depth protections against potential remote code execution issues that could impact customers. Given these two key facts, there is not yet sufficient evidence compelling us to move to a tighter timeline for distributing Log4j 2.17 or Log4j 2.17.1. Our primary and continued focus is to protect against CVE-2021-44228 and subsequently CVE-2021-45046. 

We will continue to monitor the impact of CVE-2021-45105, CVE-2021-44832 and any other issues discovered and may accelerate remedy timelines if circumstances change. 
 
Full details of these vulnerabilities are available at: Apache Log4j Vulnerabilities.



Are these vulnerabilities being exploited?

Attackers are actively probing for Apache Log4j vulnerabilities no matter the vendor or manufacturer. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.

 

How do I know what Dell products are impacted?

The status of products which are impacted, not impacted, or under review is listed in KB article 194414. We will continuously update this document with the latest information. Our Product and Security teams are working around the clock to investigate and find solutions for impacted products as quickly as possible.

 

My Dell product is impacted. What can I do to protect myself?

If you determine that you use an impacted Dell Technologies product after visiting KB article 194414, install the applicable security patch or follow the recommended workaround, as the document outlines, or check back later if the workarounds or patches are still pending.

We encourage you to follow security best practices, including those recommended by Apache. You may have other security controls in your environment that can help protect you until you are able to patch. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.

 

Should I use the workaround or the patch if my Dell product is impacted?

Given the criticality of these issues, we highly recommend you apply the first available option to best protect against these vulnerabilities. If you apply a workaround, remember to apply the official patch once available. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.

 

Can I just firewall the affected products instead of patching or using the workaround?

All organizations have different environments and needs. Whether a workaround or patch is appropriate for this situation is best assessed by you and your information security staff.

 

How do I know if my product is supported?

Per the Dell Vulnerability Response Policy, Dell strives to remediate actively supported products, versions, or platforms. To see if your product is currently supported, access the following article: All Dell EMC End-of-Life Documents

 

What Should I do if I have questions?

Contact Dell Customer Support if you have questions after reviewing the impacted products document: Apache Log4j Knowledge Base Article.

対象製品

Product Security Information
文書のプロパティ
文書番号: 000194416
文書の種類: Security KB
最終更新: 30 12月 2021
バージョン:  16
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。