Dell Connectrix DS 6630B SANnav Management Portal 2.1.1.7 CSI Patch Release Co - Page 3
Important Notes Regarding Software Security Scans and Log4j, SANnav v2.1.1.7 Patch Release Content
View all Dell Connectrix DS 6630B manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 3 highlights
Important Notes Regarding Software Security Scans and Log4j - SocketServer Note: All of these objects are removed from the SANnav code with this CSI patch. ? Log4j 2.x mitigation In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note: This is the mitigation that is provided in this SANnav patch. Upgrade to Log4j 2.17.1 (for Java 8 and later). Note: Due to the significant complexity in upgrading components using OSS components with Log4j 2.x, this mitigation is NOT provided in this SANnav patch. Upgrade to Log4j 2.17.1 (for Java 8 and later). Important Notes Regarding Software Security Scans and Log4j 1. Security scanners that scan down inside code to validate that potentially vulnerable class objects exist or have been removed will report "Mitigated" after applying this CSI patch. Logpresso and other such scanners will indicate the related SANnav files as "MITIGATED". 2. Other scanners that do not scan down inside code may still indicate potential vulnerabilities after applying this CSI patch. This is because Log4j version 1.x code is still present within SANnav, even though the vulnerable objects have been removed. Nessus is one such scanner, and may report the following: 156860 - Apache Log4j 1.x Multiple Vulnerabilities - According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. - Log4j 1.x is affected by multiple vulnerabilities 156032 - Apache Log4j Unsupported Version Detection - A logging library running on the remote host is no longer supported. Note that while SANnav is not believed to be vulnerable to any of the identified Log4j 1.x CVEs, this CSI patch addresses any potential exploit by removing the impacted Log4j 1.x classes. SANnav v2.1.1.7 Patch Release Content This patch includes the following fixes/updates: 1. This SANnav v2.1.1.7 CSI patch includes the following updates to mitigate the Log4j 2.x vulnerabilities previously explained: A script that removes the following Java classes from the Log4j 1.x jars in SANnav code to eliminate any possible exploits. By removing these classes, SANnav code is fully remediated against all currently known Log4j 1.x vulnerabilities. - JndiLookup Dell Connectrix SANnav Portal Patch Release Content Notes 3