ProActive Solutions Addresses Apache log4j Security Situation

By ProActive Solutions

Dec 14, 2021 1:54:55 PM

About 8 minutes

On December 15th a subsequent vulnerability, CVE-2021-45046 has been discovered in the patch that Apache released for Log4j that may allow attackers to launch a DOS attack by adding malicious input data through a JNDI lookup pattern. We expect that subsequent CVEs may be discovered over the coming days and will continue to provide updates to support detection and remediation of post-compromise threat activity.ProActive Solutions is actively monitoring several vendors and their response to the current Apache log4j security situation. In service to our clients, we have consolidated current vendor responses with links where updates are being made available. This is a fluid situation, and we will continue to add new vendor information as it becomes available.

Please note, we are only highlighting key areas of impact and not the full list in the table below. We strongly encourage you to review the vendor announcements for a comprehensive list of product impact/non-impact.

Vendor Reference Info Confirmed Non-Impact Confirmed Impact
Dell LINK VNX Arrays Dell EMC VxRail - TBD on impact and resolution
Dell EMC Unity - TBD on impact and resolution
Dell EMC Recoverpoint - TBD on impact and resolution.
Brocade LINK Brocade FOS SANnav 2.1.1
IBM LINK Storwize storage products (SVC and similar products such as the FS9200, FS9100, V7000, V5000, etc) do not use Apache Log4j so this CVE vulnerability does not apply to them.

IBM Spectrum Scale & ESS

IBM Power- P8 OpenPOWER release OP825 (OP825.50)

IBM Power- Hardware Management Console System Firmware (v3.11_v3.23_hmc)

Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin and X-Force Database
NetApp LINK   Limited impact. See link for details.
Red Hat LINK Red Hat Enterprise Linux 5, 6, 7, 8
Red Hat Cost Management
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Ansible Automation Platform (Engine and Tower)
Red Hat Certificate System
Red Hat Directory Server
Red Hat CloudForms
Red Hat Update Infrastructure
Red Hat Satellite
Red Hat CodeReady Studio 12
Red Hat OpenStack Platform 13
Red Hat Integration Camel K
Red Hat Integration Camel Quarkus
Red Hat OpenShift Application Runtimes Vert.X 4
Red Hat Fuse 7
Red Hat OpenShift 4
Red Hat OpenShift 3.11
Red Hat OpenShift Logging
Red Hat Data Grid 8
Red Hat AMQ Streaming
Palo Alto CVE-2021-44228 Informational: Impact of Log4j Vulnerability CVE-2021-44228 ( PAN-OS software running on firewalls, Prisma Access, WildFire Cloud, WildFire Appliance (WF-500), Bridgecrew, CloudGenix, Cortex XSOAR, Cortex Xpanse, the GlobalProtect app, Cortex XDR agents, Prisma Cloud, Prisma Cloud Compute, IoT Security, SaaS Security, or Okyo Garde. Elasticsearch – under active investigation
HPE LINK Aurba Central, ArubaOS SD-WAN Controllers and Gateways, HPE OneView, HPE VCEM, HPE VSE, Nimble Storage HPE Simplivity 2600 all versions, 325 all versions, 380 all versions, 3PAR Service Processor all versions, 3PAR StoreServ management and Core Software media all versions, iMC all versions
Extra Hop LINK   Reveal(x) Enterprise has firmware updates available for v8.4, v8.5, and v8.6
Commvault LINK TBD Cloud App package, Oracle Agent, Microsoft SQL Server agent – patch updates are now available

FlashArray: Fixes will be made available in all active Purity lines (5.3.x, 6.0.x, 6.1.x, 6.2.x) ETA - Successive releases will be made available between 22 Dec, 2021 and 5 Jan, 2022.

Cloud Block Store: Fixes will be made available in all active Purity lines (CBS5.3.x, CBS6.1.x, CBS6.2.x). ETA - Successive releases will be made available between 27 Dec, 2021 and 10 Jan, 2022.

FlashBlade: Fixes to be made available in all active Purity lines (3.1.x, 3.2.x, 3.3.x). ETA Successive releases will be made available between 22 Dec, 2021 and 31 Dec, 2021.

PURE VM Collector: Fixes estimated to be available by 15 Dec, 2021

Want to learn more or reach out to ProActive Solutions regarding any Apache Log4j security situations, reach out to us here!

Tags: Apache log4j, IBM Security X-Force