Critical Remote Code Vulnerability with Apache Log4j

As many of you may be aware by this point, a critical remote code vulnerability was published concerning the Apache Log4j library on December 10, 2021.  This vulnerability is being tracked by NIST here in CVE-2021-44228.

MANY of the products we offer are vulnerable to this security vulnerability. Here are some resources that should be helpful:

• Here is the Dell response to Log4J.  In this article, they list out every single product, and its current status in terms of vulnerability.  I’ve also attached this article as a PDF here because it is behind a login that I’ve heard some are having difficulty accessing. Some items of note:
  • Dell SC is confirmed as NOT vulnerable.  You can use this article to set Compellent customer minds at ease.
  • PowerStore and Unity have some level of vulnerability and have patches being released this month.
  • Other products such as VxRail, DataDomain, and others are highlighted with some suggested workarounds.
• Here is the VMware response to Log4J.  In this article, they list out all the products and the current status for the vulnerability.  Some items of note:
  • VMware vCenter, Horizon, and others are vulnerable.  VMware has a patch on the way and there is a KB article listed in the above document for each major product with vulnerability.
  • Some VMware vulnerabilities are worse than others.  For example, most people (hopefully) don’t have their vCenter environment accessible to the internet.  Some VMware products, however, like a UAG in a VDI environment may be exposed to the internet.  Those systems should take priority in mitigating the risk.
• Here is an article from AWN with some general information on the vulnerability.
• Here is the response from Nutanix regarding the impact of this vulnerability on their products and systems.
  • AOS LTS (long-term support) is not impacted.  AOS STS (short-term support) is impacted with a patch coming soon.  This is a core component that is in every Nutanix system.
  • In addition to AOS, some of the additional products in the Nutanix portfolio are impacted, including Prism Central, Karbon, and Mine.

WTG professional services have already been working to assist customers in securing their environments. Please feel free to reach out to Matt or myself with any questions.