Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

DSA-2021-277: Dell Avamar Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)

Summary: Dell Avamar vCloud Director Data Protection Extension remediation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell Technologies recommends implementing this remediation as soon as possible considering the critical severity of the vulnerability. ...

This article applies to   This article does not apply to 

Impact

Critical

Details

Third-party Component  CVEs  More information 
Apache Log4j  CVE-2021-44228
CVE-2021-45046 
Apache Log4j Remote Code Execution This hyperlink is taking you to a website outside of Dell Technologies.
Third-party Component  CVEs  More information 
Apache Log4j  CVE-2021-44228
CVE-2021-45046 
Apache Log4j Remote Code Execution This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Product  Affected Versions  Updated Versions  Link to Update
vCloud Director Data Protection Extension 18.2 Upgrade to 19.4 or latest https://www.dell.com/support/home/en-us/product-support/product/vcloud-director-data-protection-extension/drivers
19.1 Upgrade to 19.4 or latest
19.2 Upgrade to 19.4 or latest
19.3 Upgrade to 19.4 or latest
19.4 19.4.0.214_HF.5 https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip
 
NOTE:
  1. Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
  2. Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class This hyperlink is taking you to a website outside of Dell Technologies. which only exists in the log4j-core jar file. Avamar Server does not install the jog4j-core jar file. A 19.4 hotfix is available if customers would still like to update the version of log4j to 2.17.1. This update may prevent false positive notifications by security scanning tools.
  3. There is a separate DSA for vRealize Data Protection Extension that is located here.
 
Product  Updated Versions Link to Update
Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition 19.4.0.116_HF333999 https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip
Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition 19.4.0.124
19.4.0.116
Dell article 21684, Avamar: List of the most recent Avamar Management Console Service cumulative hotfixes, and how to download and install the hotfixes. (14 July 2023)
 
Product  Affected Versions  Updated Versions  Link to Update
vCloud Director Data Protection Extension 18.2 Upgrade to 19.4 or latest https://www.dell.com/support/home/en-us/product-support/product/vcloud-director-data-protection-extension/drivers
19.1 Upgrade to 19.4 or latest
19.2 Upgrade to 19.4 or latest
19.3 Upgrade to 19.4 or latest
19.4 19.4.0.214_HF.5 https://dl.dell.com/downloads/DL107262_vCloud-Director-Data-Protection-Extension-19.4-(Hotfix-333650).zip
 
NOTE:
  1. Earlier versions of vCloud Data Protection Extension are End of Standard Support (EOSS). Dell did not analyze the impact of Log4j on these versions.
  2. Avamar Server is not vulnerable to CVE-2021-44228 or CVE-2021-45046. These vulnerabilities are specific to the JNDI Lookup class This hyperlink is taking you to a website outside of Dell Technologies. which only exists in the log4j-core jar file. Avamar Server does not install the jog4j-core jar file. A 19.4 hotfix is available if customers would still like to update the version of log4j to 2.17.1. This update may prevent false positive notifications by security scanning tools.
  3. There is a separate DSA for vRealize Data Protection Extension that is located here.
 
Product  Updated Versions Link to Update
Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition 19.4.0.116_HF333999 https://dl.dell.com/downloads/DL107242_Avamar-19.4-MC-Cumulative-Hotfix-for-Avamar-Server-and-Avamar-Virtual-Edition-December-2021-(Hotfix-333999).zip
Avamar, Avamar Server, Avamar Data Store, and Avamar Virtual Edition 19.4.0.124
19.4.0.116
Dell article 21684, Avamar: List of the most recent Avamar Management Console Service cumulative hotfixes, and how to download and install the hotfixes. (14 July 2023)
 

Workarounds & Mitigations

vCloud Director Data Protection Extension

NOTE:
  • This workaround or mitigation is applicable to affected versions of the vCloud Director Data Protection Extension before 19.4.
  • For 19.4 vCloud Director Data Protection Extension, we recommend applying the 19.4.0.214_HF.5 hotfix as described in the Remediation section.
  • If you implement the workaround or mitigation that is described in this section, and then upgrade or update the vCloud Director Data Protection Extension from one version to another or by applying a hotfix to the version which does not contain the listed vCloud DPE hotfix, then you must reimplement the workaround or mitigation.

Steps:
  1. Download the latest version of the logpresso tool from the following location: https://github.com/logpresso/CVE-2021-44228-Scanner This hyperlink is taking you to a website outside of Dell Technologies.
    1. Choose the latest logscanner tool for "Any OS."
    2. Copy the logpresso-log4j2-scan-XXX.jar to the /home/admin directory on the Virtual Provisioning Appliance (VPA) utility Node.
  2. Find the list of deployed components for vCloud Director Data Protection Extension (The components are vCloud Protector cell, vCloud Protector Backend Gateway, vCloud Protector Reporting, vCloud Protector File level Restore, vCloud Protector UI, PostgreSQL, and RabbitMQ). As user root, log in to Virtual Provisioning Appliance (VPA) utility Node and check the hostname lists from Deploy_Plan.conf file using the following command:
grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u

The output should be similar to the following:

vcloud-77-68:/home/admin # grep fqdn /root/deploy_plan/deploy_plan.conf | sort -u
fqdn=vcloud-77-104.drm.lab.emc.com
fqdn=vcloud-77-58.drm.lab.emc.com
fqdn=vcloud-77-61.drm.lab.emc.com
fqdn=vcloud-77-69.drm.lab.emc.com
fqdn=vcloud-77-71.drm.lab.emc.com
fqdn=vcloud-77-87.drm.lab.emc.com
fqdn=vcloud-77-92.drm.lab.emc.com
  1. The steps relating to logpresso must be performed on the VPA utility node and each of the deployed component virtual machines that are listed in the previous step.
  1. Run logpresso against the affected locations.
NOTE: The following commands related to logpresso were applicable to version 1.6.2. Later versions may differ.
  1. As user root, run the tool against the vcp or directory by running the following command. Type "y" to the prompts accordingly: 
cd /home/admin
java -jar logpresso-log4j2-scan-XXX.jar --trace /
  1. Copy or take backup of /opt/vcp/* before fixing Vulnerable files.
cd /opt
cp -pr vcp vcp_bkp
  1. Stop affected VPA component services (Select the appropriate command that is based on the component you are in).  
  • VCP Cell
systemctl stop vcpsrv  
  • VCP bg
systemctl stop vcpbg
  •  VCP rpt
systemctl stop vcprpt
  • VCP flr
systemctl stop flrui
  •  VCP ui
systemctl stop vcpui
  •  RabbitMQ
service rabbitmq-server stop
  •  PostgreSQL
service postgresql stop
  1. Run logpresso with the fix flag against the affected locations:  
  2. As user root, run the tool against the vcp or directory by running the following command. Type "y" to the prompts accordingly: 
cd /home/admin
java -jar logpresso-log4j2-scan-XXX.jar --fix /
  1. Restart the component or service that was stopped in step 5.
  • VCP Cell
systemctl restart vcpsrv
  • VCP bg
systemctl restart vcpbg
  • VCP rpt
systemctl restart vcprpt
  •  VCP flr
systemctl restart flrui
  •  VCP ui
systemctl restart vcpui
  •  RabbitMQ
service rabbitmq-server restart
  •  PostgreSQL
service postgresql restart

Remediation:
The following Dell vCloud Director Data Protection Extension release contains a resolution to this vulnerability:
  • vCloud Director Data Protection Extension 19.4 HOTFIX 333650

For other affected versions, Dell Technologies recommends scheduling an upgrade of the vCloud Director Data Protection Extension to 19.4 and applying the appropriate hotfix.

See the README document for instructions on how to install this hotfix.

NOTE: The above workarounds are not applicable to vRealize Data Protection Extension which is addressed in separate hotfixes.

Revision History

 Revision Date Description 
1.02021-12-13Initial Release
1.12021-12-14Update to include more status steps.
1.22021-12-15Add a checkpoint before restarting services.
1.32021-12-16Added environment variable checks in between switching users before restarting services.
1.42021-12-16Added steps to remove the JNDILookup class
2.02021-12-1719.4 hotfix included
2.12021-12-18vCloud Director Data Protection Extension hotfix included and added note on vRealize Data Protection Extension DSA.
2.22021-12-20Changes to clarify the applicability of the different sections to the three Avamar subproducts (Avamar Server, Avamar Virtual Edition, and vCloud Director Data Protection Extension).
2.32021-12-22Added the workaround and mitigations for earlier version of vCloud Director Data Protection Extension (before 19.4).
2.42022-01-06Updated the CVE list to include CVE-2021-45046 and clarified the remediation status.
2.52022-01-07Updated the DSA with the findings that Avamar server is not vulnerable to the listed CVEs.
2.62022-06-01Added Avamar, Avamar Server, Avamar data Store, and Avamar Virtual Edition 19.4.0.124 build to include log4j 2.17.1.
2.72022-08-02vCloud Director Data Protection Extension versions 18.2 -19.3 require upgrade to 19.4 or latest version.

Related Information

Affected Products

Avamar, Avamar, Avamar Server, Product Security Information
Article Properties
Article Number: 000194480
Article Type: Dell Security Advisory
Last Modified: 27 Jul 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.