Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

DSA-2021-290: Dell EMC vRealize Data Protection Extension for vRealize Automation 8.x Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105)

Summary: Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x short-term mitigation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affected system. Dell recommends implementing this short-term mitigation as soon as possible in light of the critical severity of the vulnerability. ...

This article applies to   This article does not apply to 

Impact

Critical

Details

 
Third-party Component CVE More information
Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Apache Log4j Remote Code Execution This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVE More information
Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Apache Log4j Remote Code Execution This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Product Affected Versions Updated Versions Link to Update
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.6 19.6.1 https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.7 19.7.1 https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.8 19.8.1 https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”)

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.9 19.9.1.1 https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
VMware vRealize Automation 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.
VMware vRealize Orchestrator 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.

 
Product Affected Versions Updated Versions Link to Update
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.6 19.6.1 https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.7 19.7.1 https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.8 19.8.1 https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”)

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.9 19.9.1.1 https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions
 
VMware vRealize Automation 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.
VMware vRealize Orchestrator 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies.
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.

 

Workarounds & Mitigations

For all vRealize Data Protection Extension for vRealize Automation (vRA) 8.x versions before and including 19.9, follow the steps below for Mitigation for vRealize Data Protection Extension for vRealize Automation(vRA) 8.x.

For all affected vRealize Data Protection Extension for vRealize Automation (vRA) 8.x, follow the steps below: 

Install or upgrade to the newly released updated versions as listed in the above table containing the remediation for Apache Log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam").

See the install guide of DPE plugin for instructions on how to perform install or upgrade to this build
https://www.dell.com/support/home/product-support/product/vrealize-data-protection-extensions

Post installation or upgrade to updated Dell EMC DPE, also mandatorily apply the VMware recommended workarounds or remediations recommended by VMware in this article, as required https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies..

If help is required with a customer-supplied vRealize Automation or vRealize Orchestrator or VMware products outside Dell EMC vRealize Data Protection Extension, reach out to VMware for assistance. For Dell EMC vRealize Data Protection Extension, reach out to Dell Support for assistance.

Note:
Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 7.x is not impacted by the CVE-2021-44228, since there is no Log4j package bundled with the DPE for VRA7.x plugins. None of the Dell EMC VRA DPE for VRA7.x plugin versions are impacted by this Log4j vulnerability as Dell EMC does not ship any Log4j with the DPE for VRA7.x plugins.

Apply the appropriate remediation version as mentioned in the above table only if using Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x.

Post installation or upgrade to updated versions of Dell EMC DPE, mandatorily apply the VMware recommended remediation available in the VMware KB article required https://kb.vmware.com/s/article/87120 This hyperlink is taking you to a website outside of Dell Technologies..

Revision History

RevisionDateDescription
1.02021-12-15Short-term mitigation.
1.12021-12-16Explicitly called out in summary that Dell EMC vRealize Data Protection Extension for vRA 7.x is not impacted by CVE-2021-44228
1.22021-12-17Included the VMware products as well in the impacted section
1.32021-12-18Included the link for the partial remediation from Dell EMC support site
1.42022-01-03Updated link for all the remediated versions of Dell EMC DPE plugin and updated with information about the remediation available from VMware KB perspective

Related Information

Affected Products

vRealize Data Protection Extension for Avamar

Products

Product Security Information, vRealize Data Protection Extension for NetWorker
Article Properties
Article Number: 000194614
Article Type: Dell Security Advisory
Last Modified: 26 Oct 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.