Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

DSA-2021-286: Dell EMC Power Protect Data Manager Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832)

Summary: Dell EMC Power Protect Data Manager remediation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell recommends implementing this remediation as soon as possible in light of the critical severity of the vulnerability. ...

This article applies to   This article does not apply to 

Impact

Critical

Details

Third-party Component CVEs More information
Apache Log4j CVE-2021-44228 https://logging.apache.org/log4j/2.x/security.html
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
Third-party Component CVEs More information
Apache Log4j CVE-2021-44228 https://logging.apache.org/log4j/2.x/security.html
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Product Affected Versions Updated Versions Link to Update
Dell EMC Power Protect Data Manager All versions 19.9 and earlier Dell Technologies recommends impacted customers to upgrade to 19.9 or 19.8 or if upgrade is not possible, apply the temporary workaround detailed in this DSA.

*PPDM version 19.9 downloaded from Dell support site before January 19, 2022 shall be upgraded to latest available version as well.
https://www.dell.com/support/home/en-ca/product-support/product/enterprise-copy-data-management/drivers

Note: PowerProtect Protection Engine or PowerProtect VM Direct Protection Engine is not vulnerable to this issue.
Product Affected Versions Updated Versions Link to Update
Dell EMC Power Protect Data Manager All versions 19.9 and earlier Dell Technologies recommends impacted customers to upgrade to 19.9 or 19.8 or if upgrade is not possible, apply the temporary workaround detailed in this DSA.

*PPDM version 19.9 downloaded from Dell support site before January 19, 2022 shall be upgraded to latest available version as well.
https://www.dell.com/support/home/en-ca/product-support/product/enterprise-copy-data-management/drivers

Note: PowerProtect Protection Engine or PowerProtect VM Direct Protection Engine is not vulnerable to this issue.

Workarounds & Mitigations

Short-Term Mitigation for Power Protect Data Manager:

For all supported Power Protect Data Manager (PPDM) versions, follow the steps below: 

  1. Disable all policies, and wait for any running jobs to complete.

  2. SSH to host using admin account: 

ssh <host> -l admin

  1. Run the following command: 

echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options

  1. Run the following command:

echo "
#! /bin/sh
/usr/local/brs/puppet/scripts/ecdm_services.sh stop
if [ -d /usr/local/brs/lib/mvnrepo/repository/org/apache/logging/log4j/log4j-core ]; then
zip -q -d /usr/local/brs/lib/mvnrepo/repository/org/apache/logging/log4j/log4j-core/2.*/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
if [ -d /usr/share/elasticsearch/lib ]; then
zip -q -d /usr/share/elasticsearch/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
/usr/local/brs/puppet/scripts/ecdm_services.sh start
" > /tmp/fixlog4j.sh ;  chmod u+x /tmp/fixlog4j.sh

  1. Run the following command:

sudo /tmp/fixlog4j.sh

  1. Enable all policies back.

Note: It make take several minutes (up to 5 or longer) for all services to restart.


Short-Term Mitigation for Power Protect Data Manager Search:

Skip this step if you have not deployed Search Node.

  1. SSH to PPDM Core OVA using admin account and change to the root user.

  2. Run the following command to get the search node credentials:

source /opt/emc/vmdirect/unit/vmdirect.env && /opt/emc/vmdirect/bin/infranodemgmt get -secret

  1. SSH to the first Search node with "admin" account using the following command:

 ssh admin@<search FQDN or IP>

  1. Run the following command to update the jvm options:

echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options

  1. Run the following command to create a script to remove the java class that has the exploit:

echo "
if [ -d /usr/share/elasticsearch/lib ]; then
zip -q -d /usr/share/elasticsearch/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
fi
sudo systemctl restart elasticsearch
" > /tmp/fixlog4j.sh ;  chmod u+x /tmp/fixlog4j.sh

  1. Run the following command to run the script that is created through step 5 above:

sudo /tmp/fixlog4j.sh

  1. Repeat steps from #3 to #6 for all the additional Search nodes found in step #2.

Note: It is recommended not to add additional Search Nodes until the next release with the fix is added. If any nodes are added before the fix, these mitigation steps must be added on the new Search Nodes as well.


Short-Term Mitigation for Power Protect Data Manager Cloud DR:

Skip this step if you have not enabled and configured Cloud DR.

For Cloud DR Server Deployed on cloud (AWS, AZURE, AWS GOV, or AZURE GOV)

  1. Log in to the CDRS over SSH. For assistance in accessing CDRS over SSH, contact Dell Support.

  2. Create cdrs_log4jfix.sh in /tmp/ directory with following content:

#! /bin/sh
cdr_backup()
{
  mkdir -p /tmp/cdr_backup
  cp /home/cdr/executable /tmp/cdr_backup/executable.bak
  cp /home/cdr/resources/restore_service.tar.gz /tmp/cdr_backup/restore_service.tar.gz.bak
  cp /home/cdr/lib/cdrs_main.jar /tmp/cdr_backup/cdrs_main.jar.bak
}
update_executable()
{
  echo "Updating CDRS executable."
  sed -i 's/=CDRS/=CDRS -Dlog4j2.formatMsgNoLookups=true/g' /home/cdr/executable
}
update_restore_service()
{
  L_CDR_VER=$1
  echo "Updating restore_service.jar."
  BASE_PATH=/home/cdr/resources
  cd $BASE_PATH
  gunzip restore_service.tar.gz
  tar -xvf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  if [[ ${L_CDR_VER} =~ 19\.[6-9] ]]; then
     zip -q -d lib_${L_CDR_VER}/restore_service.jar shadow/org/apache/logging/log4j/core/lookup/JndiLookup.class
  fi
  zip -q -d lib_${L_CDR_VER}/restore_service.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  tar --delete -f restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  tar -uf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  rm -rf lib_${L_CDR_VER}
  gzip restore_service.tar
}
update_cdrs_main()
{
  echo "Updating cdrs_main.jar."
  LOG4J_JAR_FILE_LOCATION=BOOT-INF/lib/log4j-core-2.13.2.jar
  echo "Stopping CDR service."
  sudo service cdrd stop
  cd /home/cdr/lib/
  mkdir -p BOOT-INF/lib
  unzip -p cdrs_main.jar $LOG4J_JAR_FILE_LOCATION > $LOG4J_JAR_FILE_LOCATION
  zip -q -d $LOG4J_JAR_FILE_LOCATION org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -u -0 -n *.jar cdrs_main.jar $LOG4J_JAR_FILE_LOCATION
  rm -rf BOOT-INF
  echo "Starting CDR service. This may take a few minutes."
  sudo service cdrd start
  for i in {1..10}
  do
    sleep 30
    echo "Checking CDR service status..."
    RESP_CODE=$(curl -kfsL -o /dev/null -w '%{http_code}' -X GET https://localhost/rest/cdr-version -H "accept: application/json")
    if [[ "$RESP_CODE" == 200 ]]; then
      echo "CDR service started successfully."
      return 0
    fi
  done
  echo "Failed to run CDR service. Please contact Dell Support."
  exit 1
}
main()
{
   cdr_backup
   CDR_VER=$(curl -s -X GET https://localhost/rest/cdr-version -H "accept: application/json" -k)
   echo "CDR version is : $CDR_VER"
   if [[ $CDR_VER =~ 19\.[6-9] ]]; then
      update_executable
      update_restore_service $CDR_VER
      update_cdrs_main
    elif ([[ $CDR_VER =~ 19\.[2-5] ]] || [[ $CDR_VER =~ 19\.1\.[0-9] ]]); then
      update_restore_service $CDR_VER
    else
      echo "This script is applicable only for CDR versions between 19.1 and 19.9."
      exit 1
    fi
    rm -rf /tmp/cdr_backup
}
main

  1. Execute the commands below:

  • dos2unix /tmp/cdrs_log4jfix.sh

  • chmod +x /tmp/cdrs_log4jfix.sh

  • sudo /tmp/cdrs_log4jfix.sh

Revision History

RevisionDateDescription
1.02021-12-13Workaround
1.12021-12-14Workaround , added JndiLookup.class removal from the log4j-core jar files.
1.22021-12-22Added CVE-2021-45046
2.02022-01-19Remediation made available for versions 19.8 and 19.9 and added CVEs being remediated
2.12022-02-23Minor change to language in the note in Update Versions column.

Related Information

Affected Products

PowerProtect Data Manager, Product Security Information
Article Properties
Article Number: 000194549
Article Type: Dell Security Advisory
Last Modified: 23 Feb 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.