Apache Log4j CVE-2021-44228 vulnerability

Published: Jan 06, 2021

Thank you for using NEC Express5800 products

We have been informed of new vulnerability of Apache Log4j(CVE-2021-44228) supporting speculative and out-of-order executions. The following vulnerabilities may affect our products:

• CVE ID numbers
  CVE-2021-44228
  

Any of our products with this vulnerability, if attacked by a malicious program, are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Please refer to below about the effect of the vulnerability of Apache Log4j (CVE-2021-44228).

• FT Servers

  Although the Linux and VMware model of FT servers use Apache Log4j, they are not affected by the vulnerability
  since it uses the series of Version 1.x. Windows models do NOT use Apache Log4j.
  




• ESMPRO

  Please see relevant information released by the operating system vendors.
  Note that this application may degrade the performance depending on the usage or load of your product.

  Below products do NOT use Apache Log4j, therefore there are no effects of the vulnerability.
  • ESMPRO/ServerAgent(Windows/Linux)
  • ESMPRO/ServerAgentService(Windows/Linux)
  Below products use Apache Log4j.
  • ESMPRO/ServerManager Ver.6 or Ver.7
  However, the version which uses the Apache Log4j is possibly affected by the vulnerability is the below:
  • ESMPRO/ServerManager Ver.6.37 ～ 6.56
  • ESMPRO/ServerManager Ver.7.00
  • The patch of ESMPRO / ServerManager has been released below for Log4j countermeasures:
    <NEC ESMPRO Manager Update>



• NEC Storage

  Log4j usage on iSM server and iSM Express, and the details is as follows:
  
  The iSM server, iSM client, network setting tool, iSCSI simple setting tool are installed in the environment where NEC iStorage Manager and/or NEC iStorage Manager Express is been used.
  iStorageManager Server does not use Java, therefore, the log4j vulnerability will not have any negative impact.
  
  In the case of iSM client, network setting tool and iSCSI simple setting tool do use Java, however, the current vulnerability will not have an impact on the environment due to the following reasons:
  For iSM client and network setting tool: It is currently using log4j, however, is not using the version affected by the vulnerability.
  For iSCSI simple setting tool: Does not use log4j.
  This common to all the version and does not depend on the version of each storage related software.
  
  When using VMware connection software, it is as follows.
  In the case of WebSAM Storage VMware vSphere Web Client Plug-in (vCenter plugin), does use log4j, however, is not using the version affected by the vulnerability.
  For WebSAM Storage Analyzer for VMware vRealize Operations (vROps Adapter), is known that uses log4j, however, it was confirmed that the vulnerability does not become apparent and there is no impact.
  In addition, VMware already released an information patch for vROps, please refer to below URL for more information.
  
  <https://kb.vmware.com/s/article/87076>
  
  
  Regarding WebSAM Storage VASA Provider (VASA Provider), it also uses log4j, however, it was confirmed that the vulnerability does not become apparent and there is no impact.



• NEC Hydra

  The vulnerability of CVE-2021-44228 only affects Apache Log4j versions between 2.0 and 2.14.1. GUI is unaffected because log4j used in GUI is 1.2.17.