Article Number: 000194549
Critical
| Third-party Component | CVEs | More information |
| Apache Log4j | CVE-2021-44228 | https://logging.apache.org/log4j/2.x/security.html |
| CVE-2021-45046 | ||
| CVE-2021-45105 | ||
| CVE-2021-44832 |
| Third-party Component | CVEs | More information |
| Apache Log4j | CVE-2021-44228 | https://logging.apache.org/log4j/2.x/security.html |
| CVE-2021-45046 | ||
| CVE-2021-45105 | ||
| CVE-2021-44832 |
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
| Product | Affected Versions | Updated Versions | Link to Update |
| Dell EMC Power Protect Data Manager | All versions 19.9 and earlier | Dell Technologies recommends impacted customers to upgrade to 19.9 or 19.8 or if upgrade is not possible, apply the temporary workaround detailed in this DSA. *PPDM version 19.9 downloaded from Dell support site before January 19, 2022 shall be upgraded to latest available version as well. |
https://www.dell.com/support/home/en-ca/product-support/product/enterprise-copy-data-management/drivers |
| Product | Affected Versions | Updated Versions | Link to Update |
| Dell EMC Power Protect Data Manager | All versions 19.9 and earlier | Dell Technologies recommends impacted customers to upgrade to 19.9 or 19.8 or if upgrade is not possible, apply the temporary workaround detailed in this DSA. *PPDM version 19.9 downloaded from Dell support site before January 19, 2022 shall be upgraded to latest available version as well. |
https://www.dell.com/support/home/en-ca/product-support/product/enterprise-copy-data-management/drivers |
Short-Term Mitigation for Power Protect Data Manager:
For all supported Power Protect Data Manager (PPDM) versions, follow the steps below:
Disable all policies, and wait for any running jobs to complete.
ssh <host> -l admin
echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options
Run the following command:
echo "
#! /bin/sh
/usr/local/brs/puppet/scripts/ecdm_services.sh stop
if [ -d /usr/local/brs/lib/mvnrepo/repository/org/apache/logging/log4j/log4j-core ]; then
zip -q -d /usr/local/brs/lib/mvnrepo/repository/org/apache/logging/log4j/log4j-core/2.*/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
if [ -d /usr/share/elasticsearch/lib ]; then
zip -q -d /usr/share/elasticsearch/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
/usr/local/brs/puppet/scripts/ecdm_services.sh start
" > /tmp/fixlog4j.sh ; chmod u+x /tmp/fixlog4j.sh
Run the following command:
sudo /tmp/fixlog4j.sh
Note: It make take several minutes (up to 5 or longer) for all services to restart.
Short-Term Mitigation for Power Protect Data Manager Search:
Skip this step if you have not deployed Search Node.
SSH to PPDM Core OVA using admin account and change to the root user.
Run the following command to get the search node credentials:
source /opt/emc/vmdirect/unit/vmdirect.env && /opt/emc/vmdirect/bin/infranodemgmt get -secret
SSH to the first Search node with "admin" account using the following command:
ssh admin@<search FQDN or IP>
Run the following command to update the jvm options:
echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options
Run the following command to create a script to remove the java class that has the exploit:
echo "
if [ -d /usr/share/elasticsearch/lib ]; then
zip -q -d /usr/share/elasticsearch/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
sudo systemctl restart elasticsearch
" > /tmp/fixlog4j.sh ; chmod u+x /tmp/fixlog4j.sh
Run the following command to run the script that is created through step 5 above:
sudo /tmp/fixlog4j.sh
Repeat steps from #3 to #6 for all the additional Search nodes found in step #2.
Note: It is recommended not to add additional Search Nodes until the next release with the fix is added. If any nodes are added before the fix, these mitigation steps must be added on the new Search Nodes as well.
Short-Term Mitigation for Power Protect Data Manager Cloud DR:
Skip this step if you have not enabled and configured Cloud DR.
For Cloud DR Server Deployed on cloud (AWS, AZURE, AWS GOV, or AZURE GOV)
Log in to the CDRS over SSH. For assistance in accessing CDRS over SSH, contact Dell Support.
#! /bin/sh
cdr_backup()
{
mkdir -p /tmp/cdr_backup
cp /home/cdr/executable /tmp/cdr_backup/executable.bak
cp /home/cdr/resources/restore_service.tar.gz /tmp/cdr_backup/restore_service.tar.gz.bak
cp /home/cdr/lib/cdrs_main.jar /tmp/cdr_backup/cdrs_main.jar.bak
}
update_executable()
{
echo "Updating CDRS executable."
sed -i 's/=CDRS/=CDRS -Dlog4j2.formatMsgNoLookups=true/g' /home/cdr/executable
}
update_restore_service()
{
L_CDR_VER=$1
echo "Updating restore_service.jar."
BASE_PATH=/home/cdr/resources
cd $BASE_PATH
gunzip restore_service.tar.gz
tar -xvf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
if [[ ${L_CDR_VER} =~ 19\.[6-9] ]]; then
zip -q -d lib_${L_CDR_VER}/restore_service.jar shadow/org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
zip -q -d lib_${L_CDR_VER}/restore_service.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
tar --delete -f restore_service.tar lib_${L_CDR_VER}/restore_service.jar
tar -uf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
rm -rf lib_${L_CDR_VER}
gzip restore_service.tar
}
update_cdrs_main()
{
echo "Updating cdrs_main.jar."
LOG4J_JAR_FILE_LOCATION=BOOT-INF/lib/log4j-core-2.13.2.jar
echo "Stopping CDR service."
sudo service cdrd stop
cd /home/cdr/lib/
mkdir -p BOOT-INF/lib
unzip -p cdrs_main.jar $LOG4J_JAR_FILE_LOCATION > $LOG4J_JAR_FILE_LOCATION
zip -q -d $LOG4J_JAR_FILE_LOCATION org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -u -0 -n *.jar cdrs_main.jar $LOG4J_JAR_FILE_LOCATION
rm -rf BOOT-INF
echo "Starting CDR service. This may take a few minutes."
sudo service cdrd start
for i in {1..10}
do
sleep 30
echo "Checking CDR service status..."
RESP_CODE=$(curl -kfsL -o /dev/null -w '%{http_code}' -X GET https://localhost/rest/cdr-version -H "accept: application/json")
if [[ "$RESP_CODE" == 200 ]]; then
echo "CDR service started successfully."
return 0
fi
done
echo "Failed to run CDR service. Please contact Dell Support."
exit 1
}
main()
{
cdr_backup
CDR_VER=$(curl -s -X GET https://localhost/rest/cdr-version -H "accept: application/json" -k)
echo "CDR version is : $CDR_VER"
if [[ $CDR_VER =~ 19\.[6-9] ]]; then
update_executable
update_restore_service $CDR_VER
update_cdrs_main
elif ([[ $CDR_VER =~ 19\.[2-5] ]] || [[ $CDR_VER =~ 19\.1\.[0-9] ]]); then
update_restore_service $CDR_VER
else
echo "This script is applicable only for CDR versions between 19.1 and 19.9."
exit 1
fi
rm -rf /tmp/cdr_backup
}
main
Execute the commands below:
dos2unix /tmp/cdrs_log4jfix.sh
chmod +x /tmp/cdrs_log4jfix.sh
sudo /tmp/cdrs_log4jfix.sh
| Revision | Date | Description |
| 1.0 | 2021-12-13 | Workaround |
| 1.1 | 2021-12-14 | Workaround , added JndiLookup.class removal from the log4j-core jar files. |
| 1.2 | 2021-12-22 | Added CVE-2021-45046 |
| 2.0 | 2022-01-19 | Remediation made available for versions 19.8 and 19.9 and added CVEs being remediated |
| 2.1 | 2022-02-23 | Minor change to language in the note in Update Versions column. |
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
The information in this Dell Technologies Security Advisory should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.
PowerProtect Data Manager, Product Security Information
23 Feb 2022
8
Dell Security Advisory