DSA-2021-290: Dell EMC vRealize Data Protection Extension for vRealize Automation 8.x Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105)
Samenvatting: Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x short-term mitigation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell recommends implementing this short-term mitigation as soon as possible in light of the critical severity of the vulnerability. ...
Dit artikel is van toepassing op
Dit artikel is niet van toepassing op
Dit artikel is niet gebonden aan een specifiek product.
Niet alle productversies worden in dit artikel vermeld.
Impact
Critical
Gegevens
| Third-party Component | CVE | More information |
| Apache Log4j | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 | Apache Log4j Remote Code Execution  |
| Third-party Component | CVE | More information |
| Apache Log4j | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 | Apache Log4j Remote Code Execution |
Getroffen producten en herstel
| Product | Affected Versions | Updated Versions | Link to Update |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.6 | 19.6.1 | https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.7 | 19.7.1 | https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.8 | 19.8.1 | https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”) See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.9 | 19.9.1.1 | https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| VMware vRealize Automation 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
| VMware vRealize Orchestrator 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
| Product | Affected Versions | Updated Versions | Link to Update |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.6 | 19.6.1 | https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.7 | 19.7.1 | https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.8 | 19.8.1 | https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”) See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| vRealize Data Protection Extension for vRealize Automation (vRA) 8.x | 19.9 | 19.9.1.1 | https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam") See the install guide of plugin for instructions on how to perform install or upgrade to this build https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions |
| VMware vRealize Automation 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
| VMware vRealize Orchestrator 8.x | 8.2, 8.3, 8.4, 8.5, and 8.6 | Remediation provided by VMware as per VMware KB https://kb.vmware.com/s/article/87120 |
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers. |
Tijdelijke oplossingen en risicobeperking
For all vRealize Data Protection Extension for vRealize Automation (vRA) 8.x versions before and including 19.9, follow the steps below for Mitigation for vRealize Data Protection Extension for vRealize Automation(vRA) 8.x.
For all affected vRealize Data Protection Extension for vRealize Automation (vRA) 8.x, follow the steps below:
Install or upgrade to the newly released updated versions as listed in the above table containing the remediation for Apache Log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam").
See the install guide of DPE plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
Post installation or upgrade to updated Dell EMC DPE, also mandatorily apply the VMware recommended workarounds or remediations recommended by VMware in this article, as required https://kb.vmware.com/s/article/87120
If help is required with a customer-supplied vRealize Automation or vRealize Orchestrator or VMware products outside Dell EMC vRealize Data Protection Extension, reach out to VMware for assistance. For Dell EMC vRealize Data Protection Extension, reach out to Dell Support for assistance.
Note:
Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 7.x is not impacted by the CVE-2021-44228, since there is no Log4j package bundled with the DPE for VRA7.x plugins. None of the Dell EMC VRA DPE for VRA7.x plugin versions are impacted by this Log4j vulnerability as Dell EMC does not ship any Log4j with the DPE for VRA7.x plugins.
Apply the appropriate remediation version as mentioned in the above table only if using Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x.
Post installation or upgrade to updated versions of Dell EMC DPE, mandatorily apply the VMware recommended remediation available in the VMware KB article required https://kb.vmware.com/s/article/87120
Revisiegeschiedenis
| Revision | Date | Description |
| 1.0 | 2021-12-15 | Short-term mitigation. |
| 1.1 | 2021-12-16 | Explicitly called out in summary that Dell EMC vRealize Data Protection Extension for vRA 7.x is not impacted by CVE-2021-44228 |
| 1.2 | 2021-12-17 | Included the VMware products as well in the impacted section |
| 1.3 | 2021-12-18 | Included the link for the partial remediation from Dell EMC support site |
| 1.4 | 2022-01-03 | Updated link for all the remediated versions of Dell EMC DPE plugin and updated with information about the remediation available from VMware KB perspective |
Verwante informatie
Juridische verklaring van afstand
Getroffen producten
vRealize Data Protection Extension for AvamarProducten
Product Security Information, vRealize Data Protection Extension for NetWorkerArtikeleigenschappen
Artikelnummer: 000194614
Artikeltype: Dell Security Advisory
Laatst aangepast: 26 okt. 2023
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.