Article Number: 000194480
DSA-2021-277: Dell Avamar Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)
Summary: Dell Avamar vCloud Director Data Protection Extension remediation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell Technologies recommends implementing this remediation as soon as possible considering the critical severity of the vulnerability. ...
Article Content
Impact
Critical
Details
| Third-party Component | CVEs | More information |
| Apache Log4j | CVE-2021-44228 CVE-2021-45046 |
Apache Log4j Remote Code Execution  |
| Third-party Component | CVEs | More information |
| Apache Log4j | CVE-2021-44228 CVE-2021-45046 |
Apache Log4j Remote Code Execution |
Affected Products and Remediation
| Product | Affected Versions | Updated Versions | Link to Update |
| vCloud Director Data Protection Extension | 18.2 | Upgrade to 19.4 or latest | https://www.dell.com/support/home/en-us/product-support/product/vcloud-director-data-protection-extension/drivers |
| 19.1 | Upgrade to 19.4 or latest | ||
| 19.2 | Upgrade to 19.4 or latest | ||
| 19.3 | Upgrade to 19.4 or latest | ||
| 19.4 | 19.4.0.214_HF.5 | https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip |
NOTE:
- Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
- Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class
- There is a separate DSA for vRealize Data Protection Extension that is located here.
| Product | Updated Versions | Link to Update |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.116_HF333999 | https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.124 19.4.0.116 |
Dell article 21684, Avamar: List of the most recent Avamar Management Console Service cumulative hotfixes, and how to download and install the hotfixes. (14 July 2023) |
| Product | Affected Versions | Updated Versions | Link to Update |
| vCloud Director Data Protection Extension | 18.2 | Upgrade to 19.4 or latest | https://www.dell.com/support/home/en-us/product-support/product/vcloud-director-data-protection-extension/drivers |
| 19.1 | Upgrade to 19.4 or latest | ||
| 19.2 | Upgrade to 19.4 or latest | ||
| 19.3 | Upgrade to 19.4 or latest | ||
| 19.4 | 19.4.0.214_HF.5 | https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip |
NOTE:
- Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
- Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class
- There is a separate DSA for vRealize Data Protection Extension that is located here.
| Product | Updated Versions | Link to Update |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.116_HF333999 | https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip |
| Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition | 19.4.0.124 19.4.0.116 |
Dell article 21684, Avamar: List of the most recent Avamar Management Console Service cumulative hotfixes, and how to download and install the hotfixes. (14 July 2023) |
Workarounds and Mitigations
vCloud Director Data Protection Extension
NOTE:
- This workaround or mitigation is applicable to affected versions of the vCloud Director Data Protection Extension before 19.4.
- For 19.4 vCloud Director Data Protection Extension, we recommend applying the 19.4.0.214_HF.5 hotfix as described in the Remediation section.
- If you implement the workaround or mitigation that is described in this section, and then upgrade or update the vCloud Director Data Protection Extension from one version to another or by applying a hotfix to the version which does not contain the listed vCloud DPE hotfix, then you must reimplement the workaround or mitigation.
Steps:
- Download the latest version of the logpresso tool from the following location: https://github.com/logpresso/CVE-2021-44228-Scanner
- Choose the latest logscanner tool for "Any OS."
- Copy the logpresso-log4j2-scan-XXX.jar to the /home/admin directory on the Virtual Provisioning Appliance (VPA) utility Node.
- Find the list of deployed components for vCloud Director Data Protection Extension (The components are vCloud Protector cell, vCloud Protector Backend Gateway, vCloud Protector Reporting, vCloud Protector File level Restore, vCloud Protector UI, PostgreSQL, and RabbitMQ). As user root, log in to Virtual Provisioning Appliance (VPA) utility Node and check the hostname lists from Deploy_Plan.conf file using the following command:
grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u The output should be similar to the following: vcloud-77-68:/home/admin # grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u fqdn=vcloud-77-104.drm.lab.emc.com fqdn=vcloud-77-58.drm.lab.emc.com fqdn=vcloud-77-61.drm.lab.emc.com fqdn=vcloud-77-69.drm.lab.emc.com fqdn=vcloud-77-71.drm.lab.emc.com fqdn=vcloud-77-87.drm.lab.emc.com fqdn=vcloud-77-92.drm.lab.emc.com
- The steps relating to logpresso must be performed on the VPA utility node and each of the deployed component virtual machines that are listed in the previous step.
- Run logpresso against the affected locations.
NOTE: The following commands related to logpresso were applicable to version 1.6.2. Later versions may differ.
- As user root, run the tool against the vcp or directory by running the following command. Type "y" to the prompts accordingly:
cd /home/admin java -jar logpresso-log4j2-scan-XXX.jar --trace /
- Copy or take backup of /opt/vcp/* before fixing Vulnerable files.
cd /opt cp -pr vcp vcp_bkp
- Stop affected VPA component services (Select the appropriate command that is based on the component you are in).
- VCP Cell
systemctl stop vcpsrv
- VCP bg
systemctl stop vcpbg
- VCP rpt
systemctl stop vcprpt
- VCP flr
systemctl stop flrui
- VCP ui
systemctl stop vcpui
- RabbitMQ
service rabbitmq-server stop
- PostgreSQL
service postgresql stop
- Run logpresso with the fix flag against the affected locations:
- As user root, run the tool against the vcp or directory by running the following command. Type "y" to the prompts accordingly:
cd /home/admin java -jar logpresso-log4j2-scan-XXX.jar --fix /
- Restart the component or service that was stopped in step 5.
- VCP Cell
systemctl restart vcpsrv
- VCP bg
systemctl restart vcpbg
- VCP rpt
systemctl restart vcprpt
- VCP flr
systemctl restart flrui
- VCP ui
systemctl restart vcpui
- RabbitMQ
service rabbitmq-server restart
- PostgreSQL
service postgresql restart
Remediation:
The following Dell vCloud Director Data Protection Extension release contains a resolution to this vulnerability:
- vCloud Director Data Protection Extension 19.4 HOTFIX 333650
For other affected versions, Dell Technologies recommends scheduling an upgrade of the vCloud Director Data Protection Extension to 19.4 and applying the appropriate hotfix.
See the README document for instructions on how to install this hotfix.
NOTE: The above workarounds are not applicable to vRealize Data Protection Extension which is addressed in separate hotfixes.
Revision History
| Revision | Date | Description |
| 1.0 | 2021-12-13 | Initial Release |
| 1.1 | 2021-12-14 | Update to include more status steps. |
| 1.2 | 2021-12-15 | Add a checkpoint before restarting services. |
| 1.3 | 2021-12-16 | Added environment variable checks in between switching users before restarting services. |
| 1.4 | 2021-12-16 | Added steps to remove the JNDILookup class |
| 2.0 | 2021-12-17 | 19.4 hotfix included |
| 2.1 | 2021-12-18 | vCloud Director Data Protection Extension hotfix included and added note on vRealize Data Protection Extension DSA. |
| 2.2 | 2021-12-20 | Changes to clarify the applicability of the different sections to the three Avamar subproducts (Avamar Server, Avamar Virtual Edition, and vCloud Director Data Protection Extension). |
| 2.3 | 2021-12-22 | Added the workaround and mitigations for earlier version of vCloud Director Data Protection Extension (before 19.4). |
| 2.4 | 2022-01-06 | Updated the CVE list to include CVE-2021-45046 and clarified the remediation status. |
| 2.5 | 2022-01-07 | Updated the DSA with the findings that Avamar server is not vulnerable to the listed CVEs. |
| 2.6 | 2022-06-01 | Added Avamar, Avamar Server, Avamar data Store, and Avamar Virtual Edition 19.4.0.124 build to include log4j 2.17.1. |
| 2.7 | 2022-08-02 | vCloud Director Data Protection Extension versions 18.2 -19.3 require upgrade to 19.4 or latest version. |
Related Information
Legal Information
Article Properties
Affected Product
Avamar, Avamar, Avamar Server, Product Security Information
Last Published Date
27 Jul 2023
Version
15
Article Type
Dell Security Advisory