Dell EMC PowerMax Embedded NAS (eNAS) False Positive Security Vulnerabilities for Apache Log4j (CVE-2021-4104, CVE-2019-17571, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307)

Summary: This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC PowerMax Embedded NAS (eNAS) version 8.1.15.*, but which may be identified by security scanners. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Security Article Type

Security KB

CVE Identifier

The CVE IDs are listed in the table below.

Issue Summary

See the 'Recommendation' section below for details on each CVE.

Recommendations

The vulnerabilities that are listed in the table below are in order by the date on which PowerMax Embedded NAS (eNAS) Engineering determined that the PowerMax Embedded NAS (eNAS) version 8.1.15* was not vulnerable.
 
Third-party  Component CVE ID Summary of Vulnerability Reason why Product is not Vulnerable Date Determined False Positive
JMSAppender CVE-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.  Describe the steps to address the issue.
  1. Log4j.xml is the configuration file which has appender details. This file has write permission for C4 user only, and other users have read permission. C4 user is not used for login through SSH. For accessing and editing this file attacker must have the password for C4 user which is difficult to get.
  2. This Vulnerability is related to JMS Appender, JMS Appender are used to send the formatted log event to a JMS Destination.
  3. eNAS does not have JMS configured and consumed in code.
Hence, we concluded that we are not vulnerable for this CVE.		 1/4/2022
SocketServer CVE-2019-17571 In Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely run arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
  1. SocketServer class requires configuration to be done for setting up socket between the servers. This setup and configurations do not come configured by default for Log4j bundle.
  2. For eNAS product, we do not configure, setup and consume SocketServer class. 
Hence, we concluded that we are not vulnerable for this CVE.		 1/4/2022
SMTP Appender CVE-2020-9488 Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages that are sent through that appender.
  1. Code does not consume the SMTPAppender class.
  2. We removed this class from the Log4j jar files and checked the UI.
  3. We also see that SMTP requires configuration which by default is not enable.
  4. This CVE has low score and impact.
  5. For attacker to extract the details, they have to be Man-In-Middle (which requires the access to root), to acquire access to root is not easy for eNAS product.
 2/17/2022
JMSSink CVE-2022-23302 JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.
  1. JMSSink is a simple application that consumes logging events that are sent by a JMSAppender.
  2. In eNAS, we do not consume JMSAppender for logging.
  3. This flaw only affects applications which are specifically configured to use JMSSink, which is not the default in eNAS.
  4. For eNAS the Log4j conf file has write permission only for root user. As in both the products, the Log4j config file is not having world write permission. It is difficult for attacker to modify this file.
  5. We have also evaluated the code and found that JMSSink appender is not consumed in the code.
  6. However, to further be sure, we removed this class from our jar file and validated the UI and logging functionality. We could not observe any visible effect post class removal.
 2/17/2022
JDBCAppender CVE-2022-23305 By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be run.
  1. The JDBCAppender is used for sending log events to a database.
  2. By default the log4j.xml file does not have JDBC configured. For using the JDBCAppender, separate configurations are required to be done. 
  3. JDBCAppender class is not consumed in code for eNAS.
  4. As JDBCAppender class is not consumed, the vulnerability that is related with its usage does not affect the product.
 2/17/2022
Apache Chainsaw CVE-2022-23307 A deserialization issue is present in Apache Chainsaw.
  1. Chainsaw is a supporting application for Log4j. It is a GUI-based log viewer that can read log files in Log4j’s XMLLayout format.
  2. By default, it listens for LoggingEvent objects sent using the SocketAppender and displays them in a table. The events can be filtered based on Level, Thread name, Logger, Message, and NDC.
  3. Log4j is not configured to use Chainsaw by default. No separate configurations have been made to configure ChainSaw to be used in eNAS.
  4. For eNAS, the code does not consume Chainsaw APIs.
  5. Apache Chainsaw listens to the logging objects sent on SocketAppender, but eNAS does not have SocketAppender configured.
  6. By default SocketAppender is not enabled for Log4j and requires explicit configuration for its usage.
 2/17/2022

Legal Disclaimer

Affected Products

PowerMax, eNAS
Article Properties
Article Number: 000195522
Article Type: Security KB
Last Modified: 01 Mar 2022
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.