VPLEX: VPLEX nor the VPLEX Cluster Witness are not affected by the Apache Log4shell vulnerability

The Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system may be run against a system to see if unauthorized access can be made for the purpose to maliciously execute harmful code on systems found to be vulnerable to the log4j issue.

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

The Dell EMC VPLEX GeoSynchrony 6.2.x is running on Apache Log4j version 1.2.17 which is not vulnerable to the issue and no further actions are required for the VPLEX or the VPLEX Cluster Witness. Also all pre-6.2.x versions are running a log4j version not impacted by the current vulnerability.

For more info on other Dell EMC products with regards to the Apache log4j vulnerability refer to DSA KBA 000194414, Dell Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)