Dell BSAFE: Usage of Apache Log4j by Dell BSAFE toolkits
Summary: This article provides a list of security vulnerabilities that cannot be exploited with Dell BSAFE Crypto-J, SSL-J, or Cert-J, but which may be identified by security scanners.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Security Article Type
Security KB
CVE Identifier
CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105
Issue Summary
Dell BSAFE Crypto-J, Dell BSAFE SSL-J, and Dell BSAFE Cert-J do not use Apache Log4j for logging, nor do they have any dependencies on Log4j at runtime.
Recommendations
Dell BSAFE Java toolkits, including Crypto-J, SSL-J, and Cert-J, do not use Apache Log4j for logging. If you are receiving the pre-compiled jar files from Dell, no action is necessary.
Some BSAFE customers may have a source code license agreement in place with Dell, allowing customers to receive a source code package and produce Crypto-J, SSL-J, or Cert-J jar files. Older versions of such source code packages had a dependency on a third-party package which, itself, had a dependency on Apache Log4j 1.2.x. Most recent versions of supported source code packages do not include any dependencies on Log4j 1.2.x or 2.x.
As BSAFE Cert-J reaches End Of Support Life in January 2022 with a migration path to use Crypto-J JCE, no new source code package will be created.
Customers still building the impacted BSAFE source code packages are advised to do one of the following:
Some BSAFE customers may have a source code license agreement in place with Dell, allowing customers to receive a source code package and produce Crypto-J, SSL-J, or Cert-J jar files. Older versions of such source code packages had a dependency on a third-party package which, itself, had a dependency on Apache Log4j 1.2.x. Most recent versions of supported source code packages do not include any dependencies on Log4j 1.2.x or 2.x.
| Product | Last version impacted | Remediation |
|---|---|---|
| BSAFE SSL-J source code package | 6.2.7 | SSL-J 6.3 and later are not impacted |
| BSAFE Crypto-J source code package | 6.2.4 | Crypto-J 6.2.5 and later are not impacted |
| BSAFE Cert-J source code package | 6.2.4 | Not Applicable |
As BSAFE Cert-J reaches End Of Support Life in January 2022 with a migration path to use Crypto-J JCE, no new source code package will be created.
Customers still building the impacted BSAFE source code packages are advised to do one of the following:
- Disable the build target called "confidence.coverage" to fully mitigate the issue; or
- Upgrade the third-party component (Cobertura) having a dependency on Log4j; or
- Upgrade their build environments to use the most recent source packages of SSL-J and / or Crypto-J
Legal Disclaimer
Affected Products
BSAFE Cert-J, BSAFE Crypto-J, BSAFE SSL-JArticle Properties
Article Number: 000195054
Article Type: Security KB
Last Modified: 24 Jan 2022
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.