Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000194663


DSA-2021-289: Dell EMC Cloud Disaster Recovery Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832)

Summary: Dell EMC Cloud Disaster Recovery remediation is available for the Apache Log4j Remote Code Execution Vulnerability that may be exploited by malicious users to compromise the affectedSee more

Article Content


Impact

Critical

Details

Third-party Component CVEs More information
Apache Log4j CVE-2021-44228 Apache Log4j Remote Code Execution
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
Third-party Component CVEs More information
Apache Log4j CVE-2021-44228 Apache Log4j Remote Code Execution
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2021-44228
CVE-2021-45046
Dell EMC Cloud Disaster Recovery
 
19.6.x
19.7.x
19.8.x
19.9.x
 
19.6.0.3
19.7.0.3
19.8.0.7
19.9.0.4
https://www.dell.com/support/home/en-in/product-support/product/data-domain-cloud-dr-for-avamar/drivers
CVE-2021-45105
CVE-2021-44832
19.6.x
19.7.x
19.8.x
19.9.x
19.8.0.7
19.9.0.4

 

Note: Dell Technologies strongly recommends customers to upgrade to CDR versions 19.9.0.4 and 19.8.0.7 to leverage the latest Log4J fixes.
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2021-44228
CVE-2021-45046
Dell EMC Cloud Disaster Recovery
 
19.6.x
19.7.x
19.8.x
19.9.x
 
19.6.0.3
19.7.0.3
19.8.0.7
19.9.0.4
https://www.dell.com/support/home/en-in/product-support/product/data-domain-cloud-dr-for-avamar/drivers
CVE-2021-45105
CVE-2021-44832
19.6.x
19.7.x
19.8.x
19.9.x
19.8.0.7
19.9.0.4

 

Note: Dell Technologies strongly recommends customers to upgrade to CDR versions 19.9.0.4 and 19.8.0.7 to leverage the latest Log4J fixes.

Workarounds and Mitigations

Workarounds and Mitigations provided below are applicable only for versions 19.6.0.3 and 19.7.0.3.

For CDRA - On premise virtual machine:

  1. SSH to CDRA VM using cdr user.

  2. Create cdra_log4jfix.sh in /tmp/ directory with the following content:
#! /bin/sh
cdr_backup()
{
  mkdir -p /tmp/cdr_backup
  cp /home/cdr/cdra/lib/cdra_main.jar /tmp/cdr_backup/cdra_main.jar.bak
  cp /home/cdr/cdra/resources/restore/restore_vm.jar /tmp/cdr_backup/restore_vm.jar.bak
}
update_executable()
{
  echo "Updating CDRA executable."
  sed -i 's/=CDRS/=CDRS -Dlog4j2.formatMsgNoLookups=true/g' /home/cdr/cdra/executable
}
update_restore_vm()
{
  echo "Updating restore_vm.jar."
  cd /home/cdr/cdra/resources/restore
  zip -q -d restore_vm.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -q -d restore_vm.jar shadow/org/apache/logging/log4j/core/lookup/JndiLookup.class
}
update_cdra_main()
{
  echo "Updating cdra_main.jar."
  LOG4J_JAR_FILE_LOCATION=BOOT-INF/lib/log4j-core-2.13.2.jar
  echo "Stopping CDR service."
  sudo service cdra stop
  cd /home/cdr/cdra/lib/
  mkdir -p BOOT-INF/lib
  unzip -p cdra_main.jar $LOG4J_JAR_FILE_LOCATION > $LOG4J_JAR_FILE_LOCATION
  zip -q -d $LOG4J_JAR_FILE_LOCATION org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -u -0 -n *.jar cdra_main.jar $LOG4J_JAR_FILE_LOCATION
  rm -rf BOOT-INF
  echo "Starting CDR service. This may take a few minutes."
  sudo service cdra start
  for i in {1..10}
  do
    sleep 30
    echo "Checking CDR service status..."
    RESP_CODE=$(curl -kfsL -o /dev/null -w '%{http_code}' -X GET https://localhost/rest/cdr-version -H "accept: application/json")
    if [[ "$RESP_CODE" == 200 ]]; then
      echo "CDR service started successfully."
      return 0
    fi
  done
  echo "Failed to run CDR service. Please contact Dell Support."
  exit 1
}
main()
{
   CDR_VER=$(curl -s -X GET https://localhost/rest/cdr-version -H "accept: application/json" -k)
   echo "CDR version is : $CDR_VER"
   if [[ $CDR_VER =~ 19\.[6-9] ]]; then
      cdr_backup
      update_executable
      update_restore_vm
      update_cdra_main
    else
      echo "log4j workaround is required only for CDR versions between 19.6 and 19.9."
      exit 0
    fi
    rm -rf /tmp/cdr_backup
}
main
  1. Run the following commands:
  • dos2unix /tmp/cdra_log4jfix.sh

  • chmod +x /tmp/cdra_log4jfix.sh

  • sudo /tmp/cdra_log4jfix.sh


For CDRS Deployed on cloud (AWS, AZURE, AWS GOV, or AZURE GOV)

  1. Log in to the CDRS VM over SSH. For assistance in accessing CDRS over SSH, contact Dell Support.

  2. Create cdrs_log4jfix.sh in /tmp/ directory with the following content:

#! /bin/sh
cdr_backup()
{
  mkdir -p /tmp/cdr_backup
  cp /home/cdr/executable /tmp/cdr_backup/executable.bak
  cp /home/cdr/resources/restore_service.tar.gz /tmp/cdr_backup/restore_service.tar.gz.bak
  cp /home/cdr/lib/cdrs_main.jar /tmp/cdr_backup/cdrs_main.jar.bak
}
update_executable()
{
  echo "Updating CDRS executable."
  sed -i 's/=CDRS/=CDRS -Dlog4j2.formatMsgNoLookups=true/g' /home/cdr/executable
}
update_restore_service()
{
  L_CDR_VER=$1
  echo "Updating restore_service.jar."
  BASE_PATH=/home/cdr/resources
  cd $BASE_PATH
  gunzip restore_service.tar.gz
  tar -xvf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  if [[ ${L_CDR_VER} =~ 19\.[6-9] ]]; then
     zip -q -d lib_${L_CDR_VER}/restore_service.jar shadow/org/apache/logging/log4j/core/lookup/JndiLookup.class
  fi
  zip -q -d lib_${L_CDR_VER}/restore_service.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  tar --delete -f restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  tar -uf restore_service.tar lib_${L_CDR_VER}/restore_service.jar
  rm -rf lib_${L_CDR_VER}
  gzip restore_service.tar
}
update_cdrs_main()
{
  echo "Updating cdrs_main.jar."
  LOG4J_JAR_FILE_LOCATION=BOOT-INF/lib/log4j-core-2.13.2.jar
  echo "Stopping CDR service."
  sudo service cdrd stop
  cd /home/cdr/lib/
  mkdir -p BOOT-INF/lib
  unzip -p cdrs_main.jar $LOG4J_JAR_FILE_LOCATION > $LOG4J_JAR_FILE_LOCATION
  zip -q -d $LOG4J_JAR_FILE_LOCATION org/apache/logging/log4j/core/lookup/JndiLookup.class
  zip -u -0 -n *.jar cdrs_main.jar $LOG4J_JAR_FILE_LOCATION
  rm -rf BOOT-INF
  echo "Starting CDR service. This may take a few minutes."
  sudo service cdrd start
  for i in {1..10}
  do
    sleep 30
    echo "Checking CDR service status..."
    RESP_CODE=$(curl -kfsL -o /dev/null -w '%{http_code}' -X GET https://localhost/rest/cdr-version -H "accept: application/json")
    if [[ "$RESP_CODE" == 200 ]]; then
      echo "CDR service started successfully."
      return 0
    fi
  done
  echo "Failed to run CDR service. Please contact Dell Support."
  exit 1
}
main()
{
   cdr_backup
   CDR_VER=$(curl -s -X GET https://localhost/rest/cdr-version -H "accept: application/json" -k)
   echo "CDR version is : $CDR_VER"
   if [[ $CDR_VER =~ 19\.[6-9] ]]; then
      update_executable
      update_restore_service $CDR_VER
      update_cdrs_main
    elif ([[ $CDR_VER =~ 19\.[2-5] ]] || [[ $CDR_VER =~ 19\.1\.[0-9] ]]); then
      update_restore_service $CDR_VER
    else
      echo "This script is applicable only for CDR versions between 19.1 and 19.9."
      exit 1
    fi
    rm -rf /tmp/cdr_backup
}
main

  1. Run the following commands:

  • dos2unix /tmp/cdrs_log4jfix.sh
  • chmod +x /tmp/cdrs_log4jfix.sh
  • sudo /tmp/cdrs_log4jfix.sh

Revision History

RevisionDateDescription
1.02021-12-20Initial Release.
2.02021-12-22Updated workaround
3.02021-01-10Added CVE-2021-45105
4.02022-02-08Added CVE-2021-44832

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


The information in this Dell Technologies Security Advisory should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.

Article Properties


Affected Product

Cloud Disaster Recovery

Last Published Date

09 Feb 2022

Version

6

Article Type

Dell Security Advisory