Log4j Vulnerability

Apache Log4j Product Bulletin 

Summary 

Quantum is aware of the recent Common Vulnerabilities and Exposures (CVE) database entry  regarding the open-source Apache Log4j utility and is actively monitoring the issue and evaluating its impact on Quantum products. Product-specific information is provided below. If you need additional details or help, please contact the Quantum Support Team for assistance.  

CVE-2021-44228 

The Apache Software Foundation has released a security advisory to address a remote code  execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open source, Java-based logging utility widely used by enterprise applications and cloud services. 

The full text of the Apache Log4j CVE is available at https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Unaffected Quantum Products 

The following Quantum-supported products are currently expected to be unaffected by the  vulnerability as they do not use impacted versions of the Log4j code. This list may be updated as more information is available. 

• ActiveScale (X100/P100/X200) 
• CatDV 
• Cloud Based Analytics 
• DXi (4700/4800/6900/6900S/9x00/V5000) 
• EnCloudEn 
• F-Series (F1000/F2000) 
• H-Series (H2000/H4000) 
• LTO Drives 
• Pivot3 Products (V3-Series/V5-Series/X3-Series) 
• Q-EKM 
• QXS (6G/12G) 
• Scalar (i3/i6/i2000/i6000/i500/i40/i80/24/50/100/1K/10K) 
• Scalar iBlade (LTFS NAS Blade/Windows Application Blade) 
• Scalar Key Manager 
• Scalar LTFS 
• Standalone LTFS 
• Storage Care Guardian Client 
• StorNext Appliances (M-Series, G300, Artico, Xcellis Workflow Director, Xcellis Workflow  Extender, Pro Foundation) 
• StorNext Software (File System, StorNext 7 Unified UI, FlexSync, Appliance Controller and  NAS, Connect, StorNext 6 GUI)
• SuperLoader3
• Vision

Product Specific Notes: StorNext 

The StorNext GUI uses Log4j 1.2.15 which is not impacted by the Critical CVE-2021-44228. Version  1.2.15 has a recently reported moderate vulnerability CVE-2021-4104 when configured in a non default matter. The StorNext GUI use of Log4j is not configured as described in CVE-2021-4104 and  is therefore not expected to be vulnerable to CVE-2021-4104. 

Vulnerable Quantum Products 

Based on information currently available, no Quantum products are currently expected to be  vulnerable to the Apache Log4j CVE. This section may be updated as more information is available. 

References 

More information is available from the following resources: 

• https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version 2150-address-critical-rce
• https://logging.apache.org/log4j/2.x/security.html
• https://www.cve.org/CVERecord?id=CVE-2021-4104

Contact Information 

In North America, call 1-800-284-5101. In EMEA, call toll free +800-7826-8888 or direct +49 6131  324 185. In Asia Pacific, call +800-7826-8887. You will need your system serial number. For additional contact information, click here.