Secure Connect Gateway and SupportAssist Enterprise: Apache Log4J Vulnerability False Positives (CVE-2021-45105 and CVE-2021-44832)
요약: This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC Secure Connect Gateway and SupportAssist Enterprise, but which may be identified by security scanners. ...
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
보안 문서 유형
Security KB
CVE 식별자
CVE-2021-45105, CVE-2021-44832
문제 요약
See the 'Recommendation' section below for details on the CVEs.
권장 사항
The vulnerabilities listed in the table below are in order by the date on which Secure Connect Gateway (SCG) Application Edition version 5.0.6, Secure Connect Gateway (SCG) Virtual Edition version 5.0.7, and SupportAssist Enterprise (SAE) version 2.0.80 were found not vulnerable by Dell Engineering.
| Third-party Component | CVE ID | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| Apache Log4J | CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. | This vulnerability happens whenever a customized pattern layouts is used similar to the below: <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n ${${::-${::-$${::-j}}}}"/> <PatternLayout pattern=”%d %p %c{1.} [%t] $${ctx:loginId} %m%n”/> SCG does not use customized pattern layouts with thread context variables as part of the layout. Also, no user input goes into thread context variables. As lookups are disabled in 2.16.0, the vulnerability is not applicable even if the thread context variables are passed as part of the message. OS attack which is identified in Log4j 2.16.0, does not have an impact on SCG. |
1/17/2022 |
| Apache Log4J | CVE-2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. | In SCG and SAE, we do not use JDBCAppender. SCG uses only FileAppender to log in to the filesystem. The vulnerability is not applicable for SCG and SAE. |
1/17/2022 |
법적 고지 사항
해당 제품
Secure Connect Gateway, Secure Connect Gateway, Secure Connect Gateway - Application Edition, Secure Connect Gateway - Virtual Edition제품
SupportAssist Enterprise, SupportAssist for Home PCs, Product Security Information, SupportAssist for Business PCs문서 속성
문서 번호: 000195331
문서 유형: Security KB
마지막 수정 시간: 19 9월 2025
버전: 2
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.