Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000194416


Additional Information for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) (CVE-2021-45046)

Summary: This document provides frequently asked questions in support of DSN-2021-007.

Article Content


Security Article Type

Security KB

Issue Summary

Dell Technologies released the security notice “DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability” in response to the critical vulnerabilities CVE-2021-44228 and CVE-2021-45046 in the open source Apache Log4j library. The initial vulnerability (CVE-2021-44228) affects Log4j 2.x versions 2.14.0 and earlier. The second vulnerability (CVE-2021-45046) affects Log4j 2.x versions 2.15.0 and earlier, excluding 2.12.2. Note that Log4j 1.x is not affected by either of these vulnerabilities.

These are critical vulnerabilities that need your immediate attention, as the Apache Log4j component is widely used across many vendors and software packages.

We are working hard to keep you continuously updated as the situation develops.

For a full list of Dell products, their impact and remediations, see the Apache Log4j Knowledge Base Article.

We will communicate mitigations and security updates as they become available via Dell Security Advisories posted on the Security Advisories and Notices page. We will keep a running list of relevant Dell Security Advisories in the full list of impacted Dell products: Apache Log4j Knowledge Base Article. You can subscribe to our Security Alerts to be notified when new Security Advisories are posted by following the guidance here, or by following the directions in the Security Alerts section on the Security Advisories and Notices page.

Continue to monitor the Dell Security Notice (DSN-2021-007) and Apache Log4j Knowledge Base Article for Log4j updates.

We will continue to update this page periodically with the latest information.

Details

See the following Dell Security Notice DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability

Recommendations

Frequently Asked Questions:   


What vulnerabilities currently impact Apache Log4j? 

Dell is tracking multiple vulnerabilities in the Apache Log4j libraries:
  

CVE ID  CVSS Score  Affected Apache Log4j Versions   Impact  Remediated Apache Log4j version  Summary 
CVE-2021-44228  Critical (10.0)  All versions from 2.0 to 2.14.1  Remote Code Execution (RCE)  Upgrade to 2.15 or later An easily exploitable remote code execution issue across all configurations. Known to be actively exploited. 
CVE-2021-45046  Critical (9.0)  All versions from 2.0 to 2.15, excluding 2.12.2+  Remote (and Local) Code Execution (RCE), Information Leakage  Upgrade to 2.16 or later Challenging to exploit, remote code execution issue only present on non-default configurations. At this time, we are not aware of any evidence of exploitation. 
CVE-2021-45105  High (7.5)  All versions from 2.0 to 2.16  Denial of Service (DOS)  Upgrade to 2.17 or later Challenging to exploit. Can crash the java process on non-default configurations. At this time, we are not aware of any evidence of exploitation. 
CVE-2021-44832 Medium (6.6) All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 Remote Code Execution (RCE) Upgrade to 2.17.1 or later Challenging to exploit. Requires use of JDBC Appender and attacker control of Log4j configuration.
At this time, we are not aware of any evidence of exploitation.

 

What is Dell’s focus right now regarding Log4j? 

At this time, we’re focused on issuing workarounds and security updates that best protect our customers against the active exploitation of CVE-2021-44228. The majority of our affected products are moving or have moved to Log4j 2.16 which protects against both CVE-2021-44228 and CVE-2021-45046. There is a smaller subset that moved to Log4j 2.15, which we are quickly working to move to Log4j 2.16. 

  

Why has Dell accelerated the remedy timeline for CVE-2021-45046? 

CVE-2021-45046 started as a low-severity issue but was escalated to critical severity on Dec. 16 with the discovery of bypasses to protections in Log4j 2.15. Dell security experts believe that researchers and attackers could continue to push the boundaries of this issue and uncover new attack vectors. For that reason, we believe it is in our customers’ best interest to move to Log4j 2.16 as it disables the vulnerable functionality by default. 

 

Why is Dell not accelerating timelines for CVE-2021-45105 or CVE-2021-44832? 

At this time, we are not aware of attackers exploiting CVE-2021-45105 or CVE-2021-44832. Log4j 2.16 has also added a number of defense-in-depth protections against potential remote code execution issues that could impact customers. Given these two key facts, there is not yet sufficient evidence compelling us to move to a tighter timeline for distributing Log4j 2.17 or Log4j 2.17.1. Our primary and continued focus is to protect against CVE-2021-44228 and subsequently CVE-2021-45046. 

We will continue to monitor the impact of CVE-2021-45105, CVE-2021-44832 and any other issues discovered and may accelerate remedy timelines if circumstances change. 
 
Full details of these vulnerabilities are available at: Apache Log4j Vulnerabilities.



Are these vulnerabilities being exploited?

Attackers are actively probing for Apache Log4j vulnerabilities no matter the vendor or manufacturer. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.

 

How do I know what Dell products are impacted?

The status of products which are impacted, not impacted, or under review is listed in KB article 194414. We will continuously update this document with the latest information. Our Product and Security teams are working around the clock to investigate and find solutions for impacted products as quickly as possible.

 

My Dell product is impacted. What can I do to protect myself?

If you determine that you use an impacted Dell Technologies product after visiting KB article 194414, install the applicable security patch or follow the recommended workaround, as the document outlines, or check back later if the workarounds or patches are still pending.

We encourage you to follow security best practices, including those recommended by Apache. You may have other security controls in your environment that can help protect you until you are able to patch. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.

 

Should I use the workaround or the patch if my Dell product is impacted?

Given the criticality of these issues, we highly recommend you apply the first available option to best protect against these vulnerabilities. If you apply a workaround, remember to apply the official patch once available. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.

 

Can I just firewall the affected products instead of patching or using the workaround?

All organizations have different environments and needs. Whether a workaround or patch is appropriate for this situation is best assessed by you and your information security staff.

 

How do I know if my product is supported?

Per the Dell Vulnerability Response Policy, Dell strives to remediate actively supported products, versions, or platforms. To see if your product is currently supported, access the following article: All Dell EMC End-of-Life Documents

 

What Should I do if I have questions?

Contact Dell Customer Support if you have questions after reviewing the impacted products document: Apache Log4j Knowledge Base Article.


The information should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories, Security Notices and Informational articles to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.

Article Properties


Affected Product

Product Security Information

Last Published Date

30 Dec 2021

Version

16

Article Type

Security KB

Rate This Article


Accurate
Useful
Easy to Understand
Was this article helpful?

0/3000 characters