DSA-2021-277: Dell Avamar Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)
요약: Dell Avamar vCloud Director Data Protection Extension remediation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell Technologies recommends implementing this remediation as soon as possible considering the critical severity of the vulnerability. ...
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
영향
Critical
세부 정보
| Third-party Component | CVEs | More information |
| Apache Log4j | CVE-2021-44228 CVE-2021-45046 |
Apache Log4j Remote Code Execution  |
| Third-party Component | CVEs | More information |
| Apache Log4j | CVE-2021-44228 CVE-2021-45046 |
Apache Log4j Remote Code Execution |
영향을 받는 제품 및 문제 해결
| Product | Affected Versions | Updated Versions | Link to Update |
| vCloud Director Data Protection Extension | 18.2 | Upgrade to 19.4 or latest | https://www.dell.com/support/home/en-us/product-support/product/vcloud-director-data-protection-extension/drivers |
| 19.1 | Upgrade to 19.4 or latest | ||
| 19.2 | Upgrade to 19.4 or latest | ||
| 19.3 | Upgrade to 19.4 or latest | ||
| 19.4 | 19.4.0.214_HF.5 | https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip |
NOTE:
- Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
- Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class
- There is a separate DSA for vRealize Data Protection Extension that is located here.
| Product | Updated Versions | Link to Update |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.116_HF333999 | https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.124 19.4.0.116 |
Dell article 21684, Avamar: List of the most recent Avamar Management Console Service cumulative hotfixes, and how to download and install the hotfixes. (14 July 2023) |
| Product | Affected Versions | Updated Versions | Link to Update |
| vCloud Director Data Protection Extension | 18.2 | Upgrade to 19.4 or latest | https://www.dell.com/support/home/en-us/product-support/product/vcloud-director-data-protection-extension/drivers |
| 19.1 | Upgrade to 19.4 or latest | ||
| 19.2 | Upgrade to 19.4 or latest | ||
| 19.3 | Upgrade to 19.4 or latest | ||
| 19.4 | 19.4.0.214_HF.5 | https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip |
NOTE:
- Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
- Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class
- There is a separate DSA for vRealize Data Protection Extension that is located here.
| Product | Updated Versions | Link to Update |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.116_HF333999 | https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.124 19.4.0.116 |
Dell article 21684, Avamar: List of the most recent Avamar Management Console Service cumulative hotfixes, and how to download and install the hotfixes. (14 July 2023) |
해결 방법 및 완화 방안
vCloud Director Data Protection Extension
NOTE:
- This workaround or mitigation is applicable to affected versions of the vCloud Director Data Protection Extension before 19.4.
- For 19.4 vCloud Director Data Protection Extension, we recommend applying the 19.4.0.214_HF.5 hotfix as described in the Remediation section.
- If you implement the workaround or mitigation that is described in this section, and then upgrade or update the vCloud Director Data Protection Extension from one version to another or by applying a hotfix to the version which does not contain the listed vCloud DPE hotfix, then you must reimplement the workaround or mitigation.
Steps:
- Download the latest version of the logpresso tool from the following location: https://github.com/logpresso/CVE-2021-44228-Scanner
- Choose the latest logscanner tool for "Any OS."
- Copy the logpresso-log4j2-scan-XXX.jar to the /home/admin directory on the Virtual Provisioning Appliance (VPA) utility Node.
- Find the list of deployed components for vCloud Director Data Protection Extension (The components are vCloud Protector cell, vCloud Protector Backend Gateway, vCloud Protector Reporting, vCloud Protector File level Restore, vCloud Protector UI, PostgreSQL, and RabbitMQ). As user root, log in to Virtual Provisioning Appliance (VPA) utility Node and check the hostname lists from Deploy_Plan.conf file using the following command:
grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u The output should be similar to the following: vcloud-77-68:/home/admin # grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u fqdn=vcloud-77-104.drm.lab.emc.com fqdn=vcloud-77-58.drm.lab.emc.com fqdn=vcloud-77-61.drm.lab.emc.com fqdn=vcloud-77-69.drm.lab.emc.com fqdn=vcloud-77-71.drm.lab.emc.com fqdn=vcloud-77-87.drm.lab.emc.com fqdn=vcloud-77-92.drm.lab.emc.com
- The steps relating to logpresso must be performed on the VPA utility node and each of the deployed component virtual machines that are listed in the previous step.
- Run logpresso against the affected locations.
NOTE: The following commands related to logpresso were applicable to version 1.6.2. Later versions may differ.
- As user root, run the tool against the vcp or directory by running the following command. Type "y" to the prompts accordingly:
cd /home/admin java -jar logpresso-log4j2-scan-XXX.jar --trace /
- Copy or take backup of /opt/vcp/* before fixing Vulnerable files.
cd /opt cp -pr vcp vcp_bkp
- Stop affected VPA component services (Select the appropriate command that is based on the component you are in).
- VCP Cell
systemctl stop vcpsrv
- VCP bg
systemctl stop vcpbg
- VCP rpt
systemctl stop vcprpt
- VCP flr
systemctl stop flrui
- VCP ui
systemctl stop vcpui
- RabbitMQ
service rabbitmq-server stop
- PostgreSQL
service postgresql stop
- Run logpresso with the fix flag against the affected locations:
- As user root, run the tool against the vcp or directory by running the following command. Type "y" to the prompts accordingly:
cd /home/admin java -jar logpresso-log4j2-scan-XXX.jar --fix /
- Restart the component or service that was stopped in step 5.
- VCP Cell
systemctl restart vcpsrv
- VCP bg
systemctl restart vcpbg
- VCP rpt
systemctl restart vcprpt
- VCP flr
systemctl restart flrui
- VCP ui
systemctl restart vcpui
- RabbitMQ
service rabbitmq-server restart
- PostgreSQL
service postgresql restart
Remediation:
The following Dell vCloud Director Data Protection Extension release contains a resolution to this vulnerability:
- vCloud Director Data Protection Extension 19.4 HOTFIX 333650
For other affected versions, Dell Technologies recommends scheduling an upgrade of the vCloud Director Data Protection Extension to 19.4 and applying the appropriate hotfix.
See the README document for instructions on how to install this hotfix.
NOTE: The above workarounds are not applicable to vRealize Data Protection Extension which is addressed in separate hotfixes.
개정 내역
| Revision | Date | Description |
| 1.0 | 2021-12-13 | Initial Release |
| 1.1 | 2021-12-14 | Update to include more status steps. |
| 1.2 | 2021-12-15 | Add a checkpoint before restarting services. |
| 1.3 | 2021-12-16 | Added environment variable checks in between switching users before restarting services. |
| 1.4 | 2021-12-16 | Added steps to remove the JNDILookup class |
| 2.0 | 2021-12-17 | 19.4 hotfix included |
| 2.1 | 2021-12-18 | vCloud Director Data Protection Extension hotfix included and added note on vRealize Data Protection Extension DSA. |
| 2.2 | 2021-12-20 | Changes to clarify the applicability of the different sections to the three Avamar subproducts (Avamar Server, Avamar Virtual Edition, and vCloud Director Data Protection Extension). |
| 2.3 | 2021-12-22 | Added the workaround and mitigations for earlier version of vCloud Director Data Protection Extension (before 19.4). |
| 2.4 | 2022-01-06 | Updated the CVE list to include CVE-2021-45046 and clarified the remediation status. |
| 2.5 | 2022-01-07 | Updated the DSA with the findings that Avamar server is not vulnerable to the listed CVEs. |
| 2.6 | 2022-06-01 | Added Avamar, Avamar Server, Avamar data Store, and Avamar Virtual Edition 19.4.0.124 build to include log4j 2.17.1. |
| 2.7 | 2022-08-02 | vCloud Director Data Protection Extension versions 18.2 -19.3 require upgrade to 19.4 or latest version. |
관련 정보
법적 고지 사항
해당 제품
Avamar, Avamar, Avamar Server, Product Security Information문서 속성
문서 번호: 000194480
문서 유형: Dell Security Advisory
마지막 수정 시간: 27 7월 2023
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.