Unsolved
1 Rookie
•
12 Posts
1
13166
December 20th, 2021 01:00
Dell Storage Manager Client / log4j update
Any info when there will be a new Dell Storage Manager Client released ?
Our antivirus software doesn't like the current version with the vulnerable log4j library
No Events found!


Origin3k
6 Operator
•
2.4K Posts
•
12.3K Points
0
January 17th, 2022 13:00
Have other 19.x successfully upgraded to latest 20.x. I have more than 15 (only one windows) data collectors to go.... i will check version next time.
Btw: the fixed DSM Client ships out with a stone aged log4j-1.2.x which also is vulnerable. But hey... also a 2.17 is bundled
Origin3k
6 Operator
•
2.4K Posts
•
12.3K Points
0
January 17th, 2022 14:00
What happens if you just open another browser tab to try to login to unisphere again? I often see the problem that the upgrade page runs into some kind of timeout and never finished to refreshed an sits there for ages.
Regards,
Joerg
Ed Bruce
4 Posts
0
January 17th, 2022 14:00
Unfortunately, this didn't work for me. The upgrade to 20.1.1.716 seemed to work fine but I didn't get the UI after upgrading to 20.1.2.14.
Ed Bruce
4 Posts
0
January 18th, 2022 06:00
Hi Joerg,
Yeah, I tried that. Seems like the webUI just doesn't come back up. I can ping them appliance and the console shows up but there's not much else I can do. I might have to open a ticket.
Thanks,
Ed
Stephan The Valley
1 Rookie
•
12 Posts
0
February 1st, 2022 04:00
20.1.2 is still coming with log4j-1.2.x which is also vulnerable :
C:\Program Files (x86)\Dell\Enterprise Manager\msagui\lib\log4j-1.2.13.jar
And 2.17.0 which should also be updated to 2.17.1 :
C:\Program Files (x86)\Dell\Enterprise Manager\msagui\lib\log4j-core-2.17.0.jar
CVE-2022-23307, CVE-2022-23302, CVE-2021-44832 and CVE-2022-23305 (reported by Microsoft Defender ATP)
Any info on when a fix will be released ?
Stephan The Valley
1 Rookie
•
12 Posts
0
February 22nd, 2022 05:00
Any news on this ?
DELL-Charles R
Moderator
•
4.7K Posts
•
25.5K Points
0
February 23rd, 2022 05:00
Hello Stephan The Valley and SC3020,
I will check into this and update you.
SC3020
2 Intern
•
10 Posts
0
February 23rd, 2022 05:00
Hi, same there. Update from Virtual Appliance 20.1.1.716 to VA 20.1.2.14 doesn't work .
We apply the update and nothing. Still on the same version and the datacollector doesn't reboot too.
If someone encounters the same problem , any help would be appreciated.
Thanks
DELL-Charles R
Moderator
•
4.7K Posts
•
25.5K Points
0
February 23rd, 2022 08:00
Hello,
It looks like those are false positive : https://www.dell.com/support/kbdoc/000194872
Dell EMC PowerPath Management Appliance False Positive Security Vulnerabilities
CVE-2022-23302, CVE-2022-23305 & CVE-2022-23307
This article provides a list of security vulnerabilities that cannot be exploited on PowerPath Management Appliance 3.2*, but which may be flagged by security scanners.
ID
Summary
CVE-2022-23302
Requires use of JMSSink, a nonstandard configuration for log4j
CVE-2022-23305
Requires use of JDBCAppender, a nonstandard configuration for log4j
CVE-2022-23307
Requires use of Chainsaw reading serialized log messages, a nonstandard configuration for log4j
Recommendations:
The vulnerabilities listed in the table below are in order by the date on which PPMA Engineering determined that the PowerPath Management Appliance 3.2* was not vulnerable.
Third Party Component
CVE ID
Summary of Vulnerability
Reason why Product is not Vulnerable
Date Determined False Positive
log4j-1.2.17* (Bundled in slf4j-log4j12-1.7.5)
log4j-1.2.15 (Bundled as part of SLES12SP5)
CVE-2022-23302
https://nvd.nist.gov/vuln/detail/CVE-2022-23302
Requires use of JMSSink, a nonstandard configuration
JMSSink is not configured by default in PPMA or SLES12SP5.
02/02/2022
log4j-1.2.17* (Bundled in slf4j-log4j12-1.7.5)
log4j-1.2.15 (Bundled as part of SLES12SP5)
CVE-2022-23305
https://nvd.nist.gov/vuln/detail/CVE-2022-23305
Requires use of JDBCAppender, a nonstandard configuration
JDBCAppender is not configured by default in PPMA or SLES12SP5.
02/02/2022
log4j-1.2.17* (Bundled in slf4j-log4j12-1.7.5)
log4j-1.2.15 (Bundled as part of SLES12SP5)
CVE-2022-23307
https://nvd.nist.gov/vuln/detail/CVE-2022-23307
Requires use of Chainsaw reading serialized log messages, a nonstandard configuration
Chainsaw is not configured by default in PPMA or SLES12SP5.
02/02/22
SugarTank
1 Message
0
May 24th, 2022 10:00
Hi ! 20.1.2 is still coming with log4j-1.2.x which is flagged by scan for CVE-2021-4104. Is is also a false positive? is it safe to remove it?
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.6K Points
1
May 24th, 2022 11:00
Hi,
Yes, it is a false positive based on the kb article that Charles linked previously. https://dell.to/3MOaiQa
Let us know if you have any additional questions.
CEliopoulos
1 Message
1
May 30th, 2022 11:00
https://www.dell.com/support/home/en-ca/drivers/driversdetails?driverid=2wnmw
Hello, popping in to drop this. I hope it helps. Provided to me by Dell Support.
Here is the update for Storage Manager VA
Dell Storage Manager - 2020 R1.2 Release (Full Release) | Driver Details | Dell US
Here is the update for Windows
tumc
1 Message
0
March 16th, 2023 09:00
Hello
in our last vulnerability scan (this month) Dell Storage Manager (newest version 20.1.2.14 already installed) was again listed with a new vulnerability: CVE-2023-26464
There is no info at all for this CVE in Dell support. Please update your security advisory page and tell us, if the current DSM version is really affected or if it is a false positive.
Please also update https://www.dell.com/support/kbdoc/en-us/000196773 then.
Thanks
PIE-Peach
1 Rookie
•
2 Posts
•
2 Points
0
July 10th, 2025 18:01
hello, can you provide the link to the download that patches this vulnerability for DSM