Dell EMC Streaming Data Platform False Positive Security Vulnerabilities for Apache Log4j (CVE-2021-45105 and CVE-2021-44832)
Podsumowanie: This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC SDP, but which may be identified by security scanners.
Ten artykuł dotyczy
Ten artykuł nie dotyczy
Ten artykuł nie jest powiązany z żadnym konkretnym produktem.
Nie wszystkie wersje produktu zostały zidentyfikowane w tym artykule.
Typ artykułu o zabezpieczeniach
Security KB
Identyfikator CVE
CVE-2021-45105, CVE-2021-44832
Podsumowanie problemu
This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC SDP, but which may be identified by security scanners.
Szczegóły
The below table has the details of the false positives.
Zalecenia
The vulnerabilities that are listed in the table below are in order by the date on which SDP Engineering determined that SDP (all versions) was not vulnerable.
Note: Although these CVEs are not exploitable in SDP, Apache Log4j is upgraded to 2.17.1 in SDP 1.3.1.1; see DSA-2021-297.
Note: Although these CVEs are not exploitable in SDP, Apache Log4j is upgraded to 2.17.1 in SDP 1.3.1.1; see DSA-2021-297.
| Third-party Component | CVE ID | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| Apache Log4j | CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This may allow an attacker with control over Thread Context Map data to cause a potential denial of service when a crafted string is interpreted. This issue was addressed in Log4j 2.17.0, 2.12.3, and 2.3.1. | SDP does not use the affected non-default Pattern Layout with a Context Lookup class in the Log4j jar. | December 30, 2021 |
| Apache log4j | CVE-2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) may be vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is addressed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. | SDP does not use the affected JDBC Appender in the Log4j jar. | December 30, 2021 |
Zastrzeżenie prawne
Produkty, których dotyczy problem
Streaming Data PlatformProdukty
Streaming Data Platform Family, Product Security InformationWłaściwości artykułu
Numer artykułu: 000195356
Typ artykułu: Security KB
Ostatnia modyfikacja: 08 lut 2022
Wersja: 2
Znajdź odpowiedzi na swoje pytania u innych użytkowników produktów Dell
Usługi pomocy technicznej
Sprawdź, czy Twoje urządzenie jest objęte usługą pomocy technicznej.