Open-E Knowledgebase

[JDSS][DSS V7] Open-E Log4j (Log4Shell Exploit) Statement

Article ID: 3261
Last updated: 01 Mar, 2022

Additional information:

  • product name: JovianDSS / DSS V7
  • product version: all
  • build: all ​​​​​​

Open-E Log4j (Log4Shell Exploit) Statement (17 Dec, 2021)

In order to ensure the highest levels of security for our users, both Open-E JovianDSS and Open-E DSS V7 have been checked for any possible vulnerabilities related to the Log4Shell exploit, precisely to the CVE-2021-44228. Despite the fact that our products’ core systems don’t contain the affected Log4j Java library, we’ve conducted multiple tests to check if the 3rd party management tools (which are run in cases where the related hardware is installed on the server) have not been affected. 

Our tests revealed as follows:

  • The MaxView Storage Manager tool utilizes the Apache Log4j library and is affected by the exploit. 
     
  • The MegaRAID Storage Manager (MSM) utilizes the Apache Log4j library but none of our tests showed any indication of the library being affected by the exploit. 

Important! The MegaRAID Storage Manager (MSM) vendor confirmed MSM's vulnerability to the CVE-2021-4104 exploit. Due to this fact, Open-E also recommends updating the tool, and provides small updates for all users.


In order to solve the above-mentioned issues, we have delivered small updates for both of our products. For the CVE-2021-44228 vulnerability in MaxView Storage Manager:

  • 90360-JDSS update for Open-E JovianDSS
  • 70728-DSS-V7 update for Open-E DSS V7

For CVE-2021-4104 vulnerability in MSM, a similar set of small updates is available:

  • 90362-JDSS for Open-E JovianDSS
  • 70729-DSS-V7 for Open-E DSS V7

Regarding Open-E JovianDSS, we will soon release the up29r2 software update which will include both security patches from the aforementioned small updates.
 
More information about the update will be sent in separate emails.

Small updates:

DSS V7
https://software:UuPpDdAaTtEe@ftp.open-e.com/In_Engineering_Phase/70728-DSS-V7_log4j_maxview_cve-2021-44228/upd_70728-DSS-V7.upd
https://software:UuPpDdAaTtEe@ftp.open-e.com/In_Engineering_Phase/70729-DSS-V7_log4j_fix_cve-2021_4104_msm/upd_70729-DSS-V7.upd

JovianDSS:
https://software:UuPpDdAaTtEe@ftp.open-e.com/In_Engineering_Phase/90360-JDSS_maxview_log4j_fix/upd_90360-JDSS.upd
https://software:UuPpDdAaTtEe@ftp.open-e.com/In_Engineering_Phase/90362-JDSS_log4j_fix_cve_2021_4104_msm/upd_90362-JDSS.upd

This article was:   Helpful | Not helpful Report an issue


Article ID: 3261
Last updated: 01 Mar, 2022
Revision: 6
Views: 0
Posted: 17 Dec, 2021 by Tymrakiewicz S.
Updated: 01 Mar, 2022 by Stolarczyk M.
print  Print email  Subscribe email  Email to friend share  Share pool  Add to pool
Tags
log4 exploit log4j
Also listed in
folder JovianDSS -> JovianDSS Information -> General info

Prev     Next
[DSS V7] How to update TLS version from 1 and 1.1 to 1.2 [port...       [JDSS] [DSS V7] Open-E Samba CVE-2021-44141

The Knowledge base is managed by Open-E data storage software company.