Dell Connectrix DS 6630B SANnav Management Portal 2.1.1.7 CSI Patch Release Co - Page 2
Overview, Log4j 1.x and Log4j 2.x Vulnerability Background and SANnav Mitigation
![]() |
View all Dell Connectrix DS 6630B manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 2 highlights
Overview Overview This document describes the details of the content and installation instructions of the SANnav Management Global v2.1.1.7 CSI patch. The main driver of the SANnav Management Global v2.1.1.7 CSI release is to mitigate any potential Log4j 1.x and Log4j 2.x vulnerabilities in the SANnav code. Log4j 1.x and Log4j 2.x Vulnerability Background and SANnav Mitigation There are multiple reported CVEs related to the Java Log4j¡ logging library which include: ? CVE-2021-44228 (JNDI in Log4j2 2.0-beta9 through 2.15.0) ? CVE-2021-4104 (JMSAppender in Log4j 1.2) ? CVE-2021-42550 (logback version 1.2.7) In addition, there have been additional CVEs related to Log4j 1.x that may also be of concern to customers: ? CVE-2022-23302 (JMSSink) ? CVE-2022-23305 (JDBCAppender) ? CVE-2022-23307 (CHAINSAW) For more information about these CVEs, please refer to the NIST National Vulnerability Database Website (https://nvd.nist.gov). SANnav v2.2.0.x code makes use of OSS (Open Source Software) that in turn uses either Log4j 1.x or Log4j 2.x libraries. Specifically, these OSS components are the Apache Software Foundation libraries. SANnav proprietary code also contains Log4j 1.x libraries, however, these libraries are not directly used by Dell SANnav-specific code internally. In other words, SANnav does not make or invoke direct Java calls to these libraries. SANnav makes use of the following Log4j 1.x libraries and Log4j 2.x libraries: ? log4j-1.2.x.jar (contained but not used by SANnav code; contained and used by third party code) ? log 4j-core-2.11.0 (used by Apache Ignite only) ? Ignite-yarn-2.5.11.jar (used by Apache Ignite only) There are different mitigation options for Log4j 1.x and Log4j 2.x library vulnerabilities recommended by Apache Software Foundation (see https://logging.apache.org/log4j/2.x/security.html) for the Apache OSS in SANnav as follows: ? Log4j 1.x mitigation It is recommended to remove all potentially vulnerable class objects from the code. While it is believed that SANnav is not vulnerable to any of the 1.x vulnerabilities identified, all of the following class objects have been removed to eliminate any potential for exploit against the identified CVEs. - JndiLookup - JMSAppender - JDBCAppender - JMSSink - Chainsaw - SMTPAppender 2 Dell Connectrix SANnav Portal Patch Release Content Notes
![](/manual_guide/products/dell-connectrix-ds-6610b-sannav-management-portal-2117-csi-patch-release-content-notes-9bdc329/2.png)