Article Number: 000194416
Dell Technologies released the security notice “DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability” in response to the critical vulnerabilities CVE-2021-44228 and CVE-2021-45046 in the open source Apache Log4j library. The initial vulnerability (CVE-2021-44228) affects Log4j 2.x versions 2.14.0 and earlier. The second vulnerability (CVE-2021-45046) affects Log4j 2.x versions 2.15.0 and earlier, excluding 2.12.2. Note that Log4j 1.x is not affected by either of these vulnerabilities.
These are critical vulnerabilities that need your immediate attention, as the Apache Log4j component is widely used across many vendors and software packages.
We are working hard to keep you continuously updated as the situation develops.
For a full list of Dell products, their impact and remediations, see the Apache Log4j Knowledge Base Article.
We will communicate mitigations and security updates as they become available via Dell Security Advisories posted on the Security Advisories and Notices page. We will keep a running list of relevant Dell Security Advisories in the full list of impacted Dell products: Apache Log4j Knowledge Base Article. You can subscribe to our Security Alerts to be notified when new Security Advisories are posted by following the guidance here, or by following the directions in the Security Alerts section on the Security Advisories and Notices page.
Continue to monitor the Dell Security Notice (DSN-2021-007) and Apache Log4j Knowledge Base Article for Log4j updates.
We will continue to update this page periodically with the latest information.
See the following Dell Security Notice DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability
Dell is tracking multiple vulnerabilities in the Apache Log4j libraries:
|CVE ID||CVSS Score||Affected Apache Log4j Versions||Impact||Remediated Apache Log4j version||Summary|
|CVE-2021-44228||Critical (10.0)||All versions from 2.0 to 2.14.1||Remote Code Execution (RCE)||Upgrade to 2.15 or later||An easily exploitable remote code execution issue across all configurations. Known to be actively exploited.|
|CVE-2021-45046||Critical (9.0)||All versions from 2.0 to 2.15, excluding 2.12.2+||Remote (and Local) Code Execution (RCE), Information Leakage||Upgrade to 2.16 or later||Challenging to exploit, remote code execution issue only present on non-default configurations. At this time, we are not aware of any evidence of exploitation.|
|CVE-2021-45105||High (7.5)||All versions from 2.0 to 2.16||Denial of Service (DOS)||Upgrade to 2.17 or later||Challenging to exploit. Can crash the java process on non-default configurations. At this time, we are not aware of any evidence of exploitation.|
|CVE-2021-44832||Medium (6.6)||All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4||Remote Code Execution (RCE)||Upgrade to 2.17.1 or later||Challenging to exploit. Requires use of JDBC Appender and attacker control of Log4j configuration.
At this time, we are not aware of any evidence of exploitation.
At this time, we’re focused on issuing workarounds and security updates that best protect our customers against the active exploitation of CVE-2021-44228. The majority of our affected products are moving or have moved to Log4j 2.16 which protects against both CVE-2021-44228 and CVE-2021-45046. There is a smaller subset that moved to Log4j 2.15, which we are quickly working to move to Log4j 2.16.
CVE-2021-45046 started as a low-severity issue but was escalated to critical severity on Dec. 16 with the discovery of bypasses to protections in Log4j 2.15. Dell security experts believe that researchers and attackers could continue to push the boundaries of this issue and uncover new attack vectors. For that reason, we believe it is in our customers’ best interest to move to Log4j 2.16 as it disables the vulnerable functionality by default.
At this time, we are not aware of attackers exploiting CVE-2021-45105 or CVE-2021-44832. Log4j 2.16 has also added a number of defense-in-depth protections against potential remote code execution issues that could impact customers. Given these two key facts, there is not yet sufficient evidence compelling us to move to a tighter timeline for distributing Log4j 2.17 or Log4j 2.17.1. Our primary and continued focus is to protect against CVE-2021-44228 and subsequently CVE-2021-45046.
We will continue to monitor the impact of CVE-2021-45105, CVE-2021-44832 and any other issues discovered and may accelerate remedy timelines if circumstances change.
Full details of these vulnerabilities are available at: Apache Log4j Vulnerabilities.
Attackers are actively probing for Apache Log4j vulnerabilities no matter the vendor or manufacturer. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.
The status of products which are impacted, not impacted, or under review is listed in KB article 194414. We will continuously update this document with the latest information. Our Product and Security teams are working around the clock to investigate and find solutions for impacted products as quickly as possible.
If you determine that you use an impacted Dell Technologies product after visiting KB article 194414, install the applicable security patch or follow the recommended workaround, as the document outlines, or check back later if the workarounds or patches are still pending.
We encourage you to follow security best practices, including those recommended by Apache. You may have other security controls in your environment that can help protect you until you are able to patch. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.
Given the criticality of these issues, we highly recommend you apply the first available option to best protect against these vulnerabilities. If you apply a workaround, remember to apply the official patch once available. If you are an enterprise customer, we encourage you to work with your information security staff to assess the best course of action as soon as possible.
All organizations have different environments and needs. Whether a workaround or patch is appropriate for this situation is best assessed by you and your information security staff.
Per the Dell Vulnerability Response Policy, Dell strives to remediate actively supported products, versions, or platforms. To see if your product is currently supported, access the following article: All Dell EMC End-of-Life Documents
The information should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories, Security Notices and Informational articles to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.
Product Security Information
30 Dec 2021