Unsolved

1 Rookie

 • 

12 Posts

13166

December 20th, 2021 01:00

Dell Storage Manager Client / log4j update

Any info when there will be a new Dell Storage Manager Client released ?
Our antivirus software doesn't like the current version with the vulnerable log4j library

6 Operator

 • 

2.4K Posts

 • 

12.3K Points

January 17th, 2022 13:00

Have other 19.x successfully upgraded to latest 20.x.  I have more than 15 (only one windows) data collectors to go.... i will check version next time.

Btw: the fixed DSM Client ships out with a stone aged log4j-1.2.x which also is vulnerable. But hey... also a 2.17 is bundled

6 Operator

 • 

2.4K Posts

 • 

12.3K Points

January 17th, 2022 14:00

What happens if you just open another browser tab to try to login to unisphere again? I often see the problem that the upgrade page runs into some kind of timeout and never finished to refreshed an sits there for ages.

Regards,
Joerg

4 Posts

January 17th, 2022 14:00

Unfortunately, this didn't work for me. The upgrade to 20.1.1.716 seemed to work fine but I didn't get the UI after upgrading to 20.1.2.14.

4 Posts

January 18th, 2022 06:00

Hi Joerg,

Yeah, I tried that. Seems like the webUI just doesn't come back up. I can ping them appliance and the console shows up but there's not much else I can do. I might have to open a ticket.

Thanks,
Ed

1 Rookie

 • 

12 Posts

February 1st, 2022 04:00

20.1.2 is still coming with log4j-1.2.x which is also vulnerable :

C:\Program Files (x86)\Dell\Enterprise Manager\msagui\lib\log4j-1.2.13.jar

And 2.17.0 which should also be updated to 2.17.1 :

C:\Program Files (x86)\Dell\Enterprise Manager\msagui\lib\log4j-core-2.17.0.jar

CVE-2022-23307, CVE-2022-23302, CVE-2021-44832 and CVE-2022-23305 (reported by Microsoft Defender ATP)

Any info on when a fix will be released ?

1 Rookie

 • 

12 Posts

February 22nd, 2022 05:00

Any news on this ?

Moderator

 • 

4.7K Posts

 • 

25.5K Points

February 23rd, 2022 05:00

Hello Stephan The Valley and SC3020,

 

I will check into this and update you.

2 Intern

 • 

10 Posts

February 23rd, 2022 05:00

Hi, same there. Update from Virtual Appliance 20.1.1.716 to VA 20.1.2.14 doesn't work .

We apply the update and nothing. Still on the same version and the datacollector doesn't reboot too.

If someone encounters the same problem , any help would be appreciated.

Thanks

Moderator

 • 

4.7K Posts

 • 

25.5K Points

February 23rd, 2022 08:00

Hello,

 

It looks like those are false positive : https://www.dell.com/support/kbdoc/000194872

 

Dell EMC PowerPath Management Appliance False Positive Security Vulnerabilities

 CVE-2022-23302CVE-2022-23305 & CVE-2022-23307

 

This article provides a list of security vulnerabilities that cannot be exploited on PowerPath Management Appliance 3.2*, but which may be flagged by security scanners.

 

 ID 

Summary 

CVE-2022-23302

Requires use of JMSSink, a nonstandard configuration for log4j

CVE-2022-23305

Requires use of JDBCAppender, a nonstandard configuration for log4j

CVE-2022-23307

Requires use of Chainsaw reading serialized log messages, a nonstandard configuration for log4j

 

Recommendations:

The vulnerabilities listed in the table below are in order by the date on which PPMA Engineering determined that the PowerPath Management Appliance  3.2* was not vulnerable.

Third Party  Component

CVE ID

Summary of Vulnerability

Reason why Product is not Vulnerable

Date Determined False Positive

log4j-1.2.17* (Bundled in slf4j-log4j12-1.7.5)

log4j-1.2.15 (Bundled as part of SLES12SP5)

CVE-2022-23302

https://nvd.nist.gov/vuln/detail/CVE-2022-23302

Requires use of JMSSink, a nonstandard configuration 

JMSSink is not configured by default in PPMA or SLES12SP5. 

02/02/2022

log4j-1.2.17* (Bundled in slf4j-log4j12-1.7.5)

log4j-1.2.15 (Bundled as part of SLES12SP5)

CVE-2022-23305

https://nvd.nist.gov/vuln/detail/CVE-2022-23305

Requires use of JDBCAppender, a nonstandard configuration

JDBCAppender is not configured by default in PPMA or SLES12SP5. 

02/02/2022

log4j-1.2.17* (Bundled in slf4j-log4j12-1.7.5)

log4j-1.2.15 (Bundled as part of SLES12SP5)

CVE-2022-23307

https://nvd.nist.gov/vuln/detail/CVE-2022-23307

Requires use of Chainsaw reading serialized log messages, a nonstandard configuration

Chainsaw is not configured by default in PPMA or SLES12SP5. 

02/02/22

 

 

1 Message

May 24th, 2022 10:00

Hi ! 20.1.2 is still coming with log4j-1.2.x which is flagged by scan for CVE-2021-4104. Is is also a false positive? is it safe to remove it? 

Moderator

 • 

9.6K Posts

 • 

42.6K Points

May 24th, 2022 11:00

Hi,

Yes, it is a false positive based on the kb article that Charles linked previously. https://dell.to/3MOaiQa

 

Let us know if you have any additional questions.

1 Message

May 30th, 2022 11:00

https://www.dell.com/support/home/en-ca/drivers/driversdetails?driverid=2wnmw

Hello, popping in to drop this. I hope it helps. Provided to me by Dell Support. 

Here is the update for Storage Manager VA

Dell Storage Manager - 2020 R1.2 Release (Full Release) | Driver Details | Dell US

Here is the update for Windows

1 Message

March 16th, 2023 09:00

Hello

in our last vulnerability scan (this month) Dell Storage Manager (newest version 20.1.2.14 already installed) was again listed with a new vulnerability: CVE-2023-26464

There is no info at all for this CVE in Dell support. Please update your security advisory page and tell us, if the current DSM version is really affected or if it is a false positive.

Please also update https://www.dell.com/support/kbdoc/en-us/000196773 then.

Thanks

1 Rookie

 • 

2 Posts

 • 

2 Points

July 10th, 2025 18:01

hello, can you provide the link to the download that patches this vulnerability for DSM

No Events found!

Top