In order to ensure the highest levels of security for our users, both Open-E JovianDSS and Open-E DSS V7 have been checked for any possible vulnerabilities related to the Log4Shell exploit, precisely to the CVE-2021-44228. Despite the fact that our products’ core systems don’t contain the affected Log4j Java library, we’ve conducted multiple tests to check if the 3rd party management tools (which are run in cases where the related hardware is installed on the server) have not been affected.
Our tests revealed as follows:
The MaxView Storage Manager tool utilizes the Apache Log4j library and is affected by the exploit.
The MegaRAID Storage Manager (MSM) utilizes the Apache Log4j library but none of our tests showed any indication of the library being affected by the exploit.
Important! The MegaRAID Storage Manager (MSM) vendor confirmed MSM's vulnerability to the CVE-2021-4104 exploit. Due to this fact, Open-E also recommends updating the tool, and provides small updates for all users.
In order to solve the above-mentioned issues, we have delivered small updates for both of our products. For the CVE-2021-44228 vulnerability in MaxView Storage Manager:
90360-JDSS update for Open-E JovianDSS
70728-DSS-V7 update for Open-E DSS V7
For CVE-2021-4104 vulnerability in MSM, a similar set of small updates is available:
90362-JDSS for Open-E JovianDSS
70729-DSS-V7 for Open-E DSS V7
Regarding Open-E JovianDSS, we will soon release the up29r2 software update which will include both security patches from the aforementioned small updates.
More information about the update will be sent in separate emails.