Dell Connectrix DS 6630B SANnav Management Portal 2.1.1.7 CSI Patch Release Co - Page 2

Overview, Log4j 1.x and Log4j 2.x Vulnerability Background and SANnav Mitigation

Get Dell Connectrix DS 6630B PDF manuals and user guides View all Dell Connectrix DS 6630B manuals
Add to My Manuals
Save this manual to your list of manuals

Page 2 highlights

Overview Overview This document describes the details of the content and installation instructions of the SANnav Management Global v2.1.1.7 CSI patch. The main driver of the SANnav Management Global v2.1.1.7 CSI release is to mitigate any potential Log4j 1.x and Log4j 2.x vulnerabilities in the SANnav code. Log4j 1.x and Log4j 2.x Vulnerability Background and SANnav Mitigation There are multiple reported CVEs related to the Java Log4j¡ logging library which include: ? CVE-2021-44228 (JNDI in Log4j2 2.0-beta9 through 2.15.0) ? CVE-2021-4104 (JMSAppender in Log4j 1.2) ? CVE-2021-42550 (logback version 1.2.7) In addition, there have been additional CVEs related to Log4j 1.x that may also be of concern to customers: ? CVE-2022-23302 (JMSSink) ? CVE-2022-23305 (JDBCAppender) ? CVE-2022-23307 (CHAINSAW) For more information about these CVEs, please refer to the NIST National Vulnerability Database Website (https://nvd.nist.gov). SANnav v2.2.0.x code makes use of OSS (Open Source Software) that in turn uses either Log4j 1.x or Log4j 2.x libraries. Specifically, these OSS components are the Apache Software Foundation libraries. SANnav proprietary code also contains Log4j 1.x libraries, however, these libraries are not directly used by Dell SANnav-specific code internally. In other words, SANnav does not make or invoke direct Java calls to these libraries. SANnav makes use of the following Log4j 1.x libraries and Log4j 2.x libraries: ? log4j-1.2.x.jar (contained but not used by SANnav code; contained and used by third party code) ? log 4j-core-2.11.0 (used by Apache Ignite only) ? Ignite-yarn-2.5.11.jar (used by Apache Ignite only) There are different mitigation options for Log4j 1.x and Log4j 2.x library vulnerabilities recommended by Apache Software Foundation (see https://logging.apache.org/log4j/2.x/security.html) for the Apache OSS in SANnav as follows: ? Log4j 1.x mitigation  It is recommended to remove all potentially vulnerable class objects from the code. While it is believed that SANnav is not vulnerable to any of the 1.x vulnerabilities identified, all of the following class objects have been removed to eliminate any potential for exploit against the identified CVEs. - JndiLookup - JMSAppender - JDBCAppender - JMSSink - Chainsaw - SMTPAppender 2 Dell Connectrix SANnav Portal Patch Release Content Notes

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
2
Dell Connectrix SANnav Portal Patch Release Content Notes
Overview
Overview
This document describes the details of the content and installation instructions of the SANnav Management Global
v2.1.1.7 CSI patch.
The main driver of the SANnav Management Global v2.1.1.7 CSI release is to mitigate any potential Log4j 1.x and
Log4j 2.x vulnerabilities in the SANnav code.
Log4j 1.x and Log4j 2.x Vulnerability Background and
SANnav Mitigation
There are multiple reported CVEs related to the Java
Log4j¡
logging library which include:
?
CVE-2021-44228 (JNDI in Log4j2 2.0-beta9 through 2.15.0)
?
CVE-2021-4104 (JMSAppender in Log4j 1.2)
?
CVE-2021-42550 (logback version 1.2.7)
In addition, there have been additional CVEs related to Log4j 1.x that may also be of concern to customers:
?
CVE-2022-23302 (JMSSink)
?
CVE-2022-23305 (JDBCAppender)
?
CVE-2022-23307 (CHAINSAW)
For more information about these CVEs, please refer to the NIST National Vulnerability Database Website
(
).
SANnav v2.2.0.x code makes use of OSS (Open Source Software) that in turn uses either Log4j 1.x or Log4j 2.x
libraries. Specifically, these OSS components are the
Apache Software Foundation
libraries. SANnav proprietary
code also contains Log4j 1.x libraries, however, these libraries are
not
directly used by Dell SANnav-specific code
internally. In other words,
SANnav does not make or invoke direct Java calls to these libraries
.
SANnav makes use of the following Log4j 1.x libraries and Log4j 2.x libraries:
?
log4j-1.2.x.jar (contained but not used by SANnav code; contained and used by third party code)
?
log 4j-core-2.11.0 (used by Apache Ignite only)
?
Ignite-yarn-2.5.11.jar (used by Apache Ignite only)
There are different mitigation options for Log4j 1.x and Log4j 2.x library vulnerabilities recommended by Apache
Software Foundation (see
) for the Apache OSS in SANnav as
follows:
?
Log4j 1.x mitigation
It is recommended to remove all potentially vulnerable class objects from the code. While it is believed that
SANnav is not vulnerable to any of the 1.x vulnerabilities identified, all of the following class objects have
been removed to eliminate any potential for exploit against the identified CVEs.
JndiLookup
JMSAppender
JDBCAppender
JMSSink
Chainsaw
SMTPAppender