Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000194614


DSA-2021-290: Dell EMC vRealize Data Protection Extension for vRealize Automation 8.x Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105)

Summary: Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x short-term mitigation is available for the Apache Log4j Remote Code Execution Vulnerability that may beSee more

Article Content


Impact

Critical

Details

 
Third-party Component CVE More information
Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Apache Log4j Remote Code Execution
 
Third-party Component CVE More information
Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Apache Log4j Remote Code Execution

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Product Affected Versions Updated Versions Link to Update
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.6 19.6.1 https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.7 19.7.1 https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.8 19.8.1 https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”)

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.9 19.9.1.1 https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
VMware vRealize Automation 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.
VMware vRealize Orchestrator 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.

 
Product Affected Versions Updated Versions Link to Update
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.6 19.6.1 https://dl.dell.com/downloads/DL107367_vRealize-Data-Protection-Extension-19.6.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.7 19.7.1 https://dl.dell.com/downloads/DL107369_vRealize-Data-Protection-Extension-19.7.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.8 19.8.1 https://dl.dell.com/downloads/DL107368_vRealize-Data-Protection-Extension-19.8.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam”)

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
vRealize Data Protection Extension for vRealize Automation (vRA) 8.x 19.9 19.9.1.1 https://dl.dell.com/downloads/DL107263_vRealize-Data-Protection-Extension-19.9.1.1-for-vRA8.x.vmoapp

vRealize Data Protection Extension updated version contains the remediation for Apache log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam")

See the install guide of plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us
 
VMware vRealize Automation 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.
VMware vRealize Orchestrator 8.x 8.2, 8.3, 8.4, 8.5, and 8.6 Remediation provided by VMware as per VMware KB
https://kb.vmware.com/s/article/87120
Mitigation to be applied is as per VMware recommendations as mentioned in VMware KB article https://kb.vmware.com/s/article/87120
We have to apply the same since the DPE plugin is a package that gets installed and runs inside the VRA or VRO 8.x virtual appliances of customers.

 

Workarounds and Mitigations

For all vRealize Data Protection Extension for vRealize Automation (vRA) 8.x versions before and including 19.9, follow the steps below for Mitigation for vRealize Data Protection Extension for vRealize Automation(vRA) 8.x.

For all affected vRealize Data Protection Extension for vRealize Automation (vRA) 8.x, follow the steps below: 

Install or upgrade to the newly released updated versions as listed in the above table containing the remediation for Apache Log4j CVE-2021-44228 vulnerability (aka "Log4Shell" or "Logjam").

See the install guide of DPE plugin for instructions on how to perform install or upgrade to this build
https://dl.dell.com/content/docu100728_vrealize-8-x-dpe-for-data-protection-systems-installation-and-administration-guide.pdf?language=en-us

Post installation or upgrade to updated Dell EMC DPE, also mandatorily apply the VMware recommended workarounds or remediations recommended by VMware in this article, as required https://kb.vmware.com/s/article/87120.

If help is required with a customer-supplied vRealize Automation or vRealize Orchestrator or VMware products outside Dell EMC vRealize Data Protection Extension, reach out to VMware for assistance. For Dell EMC vRealize Data Protection Extension, reach out to Dell Support for assistance.

Note:
Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 7.x is not impacted by the CVE-2021-44228, since there is no Log4j package bundled with the DPE for VRA7.x plugins. None of the Dell EMC VRA DPE for VRA7.x plugin versions are impacted by this Log4j vulnerability as Dell EMC does not ship any Log4j with the DPE for VRA7.x plugins.

Apply the appropriate remediation version as mentioned in the above table only if using Dell EMC vRealize Data Protection Extension for vRealize Automation (vRA) 8.x.

Post installation or upgrade to updated versions of Dell EMC DPE, mandatorily apply the VMware recommended remediation available in the VMware KB article required https://kb.vmware.com/s/article/87120.

Revision History

RevisionDateDescription
1.02021-12-15Short-term mitigation.
1.12021-12-16Explicitly called out in summary that Dell EMC vRealize Data Protection Extension for vRA 7.x is not impacted by CVE-2021-44228
1.22021-12-17Included the VMware products as well in the impacted section
1.32021-12-18Included the link for the partial remediation from Dell EMC support site
1.42022-01-03Updated link for all the remediated versions of Dell EMC DPE plugin and updated with information about the remediation available from VMware KB perspective

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


The information in this Dell Technologies Security Advisory should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.

Article Properties


Affected Product

vRealize Data Protection Extension for Avamar

Product

Product Security Information, vRealize Data Protection Extension for NetWorker

Last Published Date

10 Jan 2022

Version

5

Article Type

Dell Security Advisory