Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000194480


DSA-2021-277: Dell EMC Avamar Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)

Summary: Dell EMC Avamar vCloud Director Data Protection Extension remediation is available for the Apache Log4j Remote Code Execution Vulnerability that could be exploited by malicious usersSee more

Article Content


Impact

Critical

Details

Third-party Component  CVEs  More information 
Apache Log4j  CVE-2021-44228
CVE-2021-45046 
Apache Log4j Remote Code Execution 
Third-party Component  CVEs  More information 
Apache Log4j  CVE-2021-44228
CVE-2021-45046 
Apache Log4j Remote Code Execution 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Product  Affected Versions  Updated Versions)  Link to Update
vCloud Director Data Protection Extension 18.2 18.2 Hotfix TBD
19.1 19.1 Hotfix TBD
19.2 19.2 Hotfix TBD
19.3 19.3 Hotfix TBD
19.4 19.4.0.214_HF.5 https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip

NOTES:
  1. Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
  2. Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class which only exists in the log4j-core jar file.  Avamar Server does not install the jog4j-core jar file. A 19.4 hotfix is available if customers would still like to update the version of log4j to 2.16. This update may prevent false positive notifications by security scanning tools.
 
Product  Updated Versions  Link to Update
Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition 19.4.0.116_HF333999 https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip
 
  1. There is a separate DSA for vRealize Data Protection Extension located here.
Product  Affected Versions  Updated Versions)  Link to Update
vCloud Director Data Protection Extension 18.2 18.2 Hotfix TBD
19.1 19.1 Hotfix TBD
19.2 19.2 Hotfix TBD
19.3 19.3 Hotfix TBD
19.4 19.4.0.214_HF.5 https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip

NOTES:
  1. Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
  2. Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class which only exists in the log4j-core jar file.  Avamar Server does not install the jog4j-core jar file. A 19.4 hotfix is available if customers would still like to update the version of log4j to 2.16. This update may prevent false positive notifications by security scanning tools.
 
Product  Updated Versions  Link to Update
Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition 19.4.0.116_HF333999 https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip
 
  1. There is a separate DSA for vRealize Data Protection Extension located here.

Workarounds and Mitigations

vCloud Director Data Protection Extension
Notes:

  • This workaround/mitigation is applicable to affected versions of the vCloud Director Data Protection Extension prior to 19.4.
  • For 19.4 vCloud Director Data Protection Extension, we recommend applying the 19.4.0.214_HF.5 hotfix as described in the Remediation section.
  • If you implement the workaround/mitigation described in this section, and then upgrade/ update the vCloud Director Data Protection Extension from one version to another or by applying a hotfix to the version which does not contain the listed vCloud DPE hotfix, then you must re-implement the workaround/mitigation.
Steps:
 
  1. Download the latest version of the logpresso tool from the following location: https://github.com/logpresso/CVE-2021-44228-Scanner
a. Choose the latest logscanner tool for “Any OS”
b. Copy the logpresso-log4j2-scan-XXX.jar to the /home/admin directory on the VPA (Virtual Provisioning Appliance) utility Node.
 
  1. Find the list of deployed components for vCloud Director Data Protection Extension ( The components are vCloud Protector cell, vCloud Protector Backend Gateway, vCloud Protector Reporting, vCloud Protector File level Restore, vCloud Protector UI, PostgreSQL & RabbitMQ). As user root log, on to VPA (Virtual Provisioning Appliance) utility Node and check the hostname lists from Deploy_Plan.conf file using the following command:
grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u

The output should be similar to the following:

vcloud-77-68:/home/admin # grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u
fqdn=vcloud-77-104.drm.lab.emc.com
fqdn=vcloud-77-58.drm.lab.emc.com
fqdn=vcloud-77-61.drm.lab.emc.com
fqdn=vcloud-77-69.drm.lab.emc.com
fqdn=vcloud-77-71.drm.lab.emc.com
fqdn=vcloud-77-87.drm.lab.emc.com
fqdn=vcloud-77-92.drm.lab.emc.com
 
  1. The steps relating to logpresso will need to be performed on the VPA utility node and each of the deployed component virtual machines listed in the previous step.
  1. Run logpresso against the affected locations.

NOTE: The following commands related to logpresso were applicable to version 1.6.2. Later versions may differ.

a. As user root, run the tool against the vcp / directory by running the following command. Type “y” to the prompts accordingly: 
cd /home/admin
java -jar logpresso-log4j2-scan-XXX.jar --trace /

b. Copy or take backup of /opt/vcp/* before fixing Vulnerable files.
cd /opt
cp -pr vcp vcp_bkp
 
  1. Stop affected VPA component services (Select the appropriate command based on the component you are in).  
    1. VCP Cell
systemctl stop vcpsrv
 
    1. VCP bg
systemctl stop vcpbg
 
    1. VCP rpt
systemctl stop vcprpt
 
    1. VCP flr
systemctl stop flrui
 
    1. VCP ui
systemctl stop vcpui
 
    1. Rabbitmq
service rabbitmq-server stop
 
    1. PostgreSQL
service postgresql stop
 
  1. Run logpresso with the fix flag against the affected locations:  
  2. As user root, run the tool against the vcp / directory by running the following command. Type “y” to the prompts accordingly: 
cd /home/admin
java -jar logpresso-log4j2-scan-XXX.jar --fix /
 
  1. Restart the component or service that was stopped in step 5.
 
    1. VCP Cell
systemctl restart vcpsrv
 
    1. VCP bg
systemctl restart vcpbg
 
    1. VCP rpt
systemctl restart vcprpt
 
    1. VCP flr
systemctl restart flrui
 
    1. VCP ui
systemctl restart vcpui
 
    1. Rabbitmq
service rabbitmq-server restart
 
    1. PostgreSQL
service postgresql restart

Remediation:
The following Dell EMC vCloud Director Data Protection Extension release contains a resolution to this vulnerability:
 
  • vCloud Director Data Protection Extension 19.4 HOTFIX 333650


For other affected versions, Dell EMC recommends scheduling an upgrade of the vCloud Director Data Protection Extension to 19.4 and applying the appropriate hotfix.

Refer to the README document for instructions on how to install this hotfix.


NOTE: The above workarounds are not applicable to vRealize Data Protection Extension which will be handled in separate hotfixes.

Revision History

 Revision Date Description 
1.02021-12-13Initial Release
1.12021-12-14Update to include more status steps
1.22021-12-15Add a checkpoint prior to restarting services
1.32021-12-16Added environment variable checks in between switching users prior to restarting services
1.42021-12-16Added steps to remove the JNDILookup class
2.02021-12-1719.4 hotfix included
2.12021-12-18vCloud Director Data Protection Extension hotfix included and added note on vRealize Data Protection Extension DSA
2.22021-12-20changes to clarify the applicability of the different sections to the 3 Avamar sub-products (Avamar Server, Avamar Virtual Edition, and vCloud Director Data Protection Extension).
2.32021-12-22Added the workaround and mitigations for earlier version of vCloud Director Data Protection Extension (prior to 19.4)
2.42022-01-06Updated the CVE list to include CVE-2021-45046 and clarified the remediation status.
2.52022-01-07Updated the DSA with the findings that Avamar server is not vulnerable to the listed CVEs.

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


The information in this Dell Technologies Security Advisory should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.

Article Properties


Affected Product

Avamar, Avamar, Avamar Server, Product Security Information

Last Published Date

07 Jan 2022

Version

12

Article Type

Dell Security Advisory