Apache Log4j CVE-2021-44228 vulnerability
Thank you for using NEC Express5800 products
We have been informed of new vulnerability of Apache Log4j(CVE-2021-44228) supporting
speculative and out-of-order executions.
The following vulnerabilities may affect our products:
- CVE ID numbers
CVE-2021-44228
Any of our products with this vulnerability, if attacked by a malicious program, are vulnerable to a
remote code execution (RCE) attack where an attacker with permission to modify the
logging configuration file can construct a malicious configuration using a JDBC Appender with a data
source referencing a JNDI URI which can execute remote code.
The affect of Apache Log4j vulnerability and solution.
Please refer to below about the effect of the vulnerability of Apache Log4j (CVE-2021-44228).
-
FT Servers
Although the Linux and VMware model of FT servers use Apache Log4j, they are not affected by
the vulnerability
since it uses the series of Version 1.x. Windows models do NOT use Apache Log4j.
-
ESMPRO
Please see relevant information released by the operating system vendors.
Note that this application may degrade the performance depending on the usage or load of
your product.
Below products do NOT use Apache Log4j, therefore there are no effects of the
vulnerability.
- ESMPRO/ServerAgent(Windows/Linux)
- ESMPRO/ServerAgentService(Windows/Linux)
Below products use Apache Log4j.
- ESMPRO/ServerManager Ver.6 or Ver.7
However, the version which uses the Apache Log4j is possibly affected by the
vulnerability is the below:
- ESMPRO/ServerManager Ver.6.37 ~ 6.56
- ESMPRO/ServerManager Ver.7.00
- The patch of ESMPRO / ServerManager has been released below for Log4j
countermeasures:
<NEC ESMPRO Manager Update>
-
NEC Storage
Log4j usage on iSM server and iSM Express, and the details is as follows:
The iSM server, iSM client, network setting tool, iSCSI simple setting tool are
installed in the environment where NEC iStorage Manager and/or NEC iStorage Manager
Express is been used.
iStorageManager Server does not use Java, therefore, the log4j vulnerability will
not have any negative impact.
In the case of iSM client, network setting tool and iSCSI simple setting tool do use
Java, however, the current vulnerability will not have an impact on the environment due
to the following reasons:
For iSM client and network setting tool: It is currently using log4j, however, is
not using the version affected by the vulnerability.
For iSCSI simple setting tool: Does not use log4j.
This common to all the version and does not depend on the version of each storage
related software.
When using VMware connection software, it is as follows.
In the case of WebSAM Storage VMware vSphere Web Client Plug-in (vCenter plugin),
does use log4j, however, is not using the version affected by the vulnerability.
For WebSAM Storage Analyzer for VMware vRealize Operations (vROps Adapter), is known
that uses log4j, however, it was confirmed that the vulnerability does not become
apparent and there is no impact.
In addition, VMware already released an information patch for vROps, please refer to
below URL for more information.
<https://kb.vmware.com/s/article/87076>
Regarding WebSAM Storage VASA Provider (VASA Provider), it also uses log4j, however,
it was confirmed that the vulnerability does not become apparent and there is no impact.
-
NEC Hydra
The vulnerability of CVE-2021-44228 only affects Apache Log4j versions between 2.0 and
2.14.1. GUI is unaffected because log4j used in GUI is 1.2.17.
Top of this page