CVE-2021-4428 Apache Log4J workaround for DataDomain and DataDomain Management Center. This impacts customer running DDOS 7.3 up until 7.7.0.6. The workaround can be applied by customers that need immediate remedy and are fine to disable GUI interface or restrict GUI interface access to only select client machines.
Here is the link for the Knowledge Base for more details. Demonstration disabling the GUI interface. To disable the GUI interface, login to the DataDomain, navigate to Administration, click on access, select HTTPS and click Configure. Unselect allow HTTP and HTTPS access, then click Ok.
This will terminate the session that you are currently working on and prevent any GUI access as long as the HTTP and HTTPS services are disabled. To verify via command line, you can use command “admin access show” which will list HTTP and HTTPS services as being disabled. Demonstration Restricting GUI Access.
GUI interface can be restricted to certain trusted clients, which are not prone to compromise, such that an attacker can exploit this vulnerability. Log into the DataDomain GUI. Navigate to the Administration tab access, select HTTP and click configure. Add the trusted hosts by their IP addresses, click Ok.
Select and remove the asterisk entry, which grants access to all Hosts and click Ok. Once you confirm, the connection will be lost unless you are logging in from the trusted machine. The following is a demonstration for how to enable the GUI interface.
That is after applying the support driven workaround or after upgrading the OS to a version that has the fix. Log into the DD via command line and use command “admin access enable HTTPS” and “admin access enable HTTPS” To access the web GUI, open your browser, clear your browser history and start a new session.
Thank you.
