Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
5
Helpful
4
Replies

CSCwa47307 - Vulnerability in Apache Log4j

GeorgePerkins0204
Level 1
Level 1

‎01-11-2022 09:26 AM

Article "Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021" https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

refers to Bug tracker "Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021" https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47307 which refers back to qRuKNEbd in a circular reference loop. 

 

qRuKNEbd says that UCS C-Series and S-Series are not vulnerable to Log4j CVE but CSCwa47307 provides a firmware update 2.3.2.1 which implies a vulnerability. 

 

1. Which article is correct?

2. What is the download/update procedure for 2.3.2.1 firmware CSCwa47307?

3. Anyone have success or issues with the firmware update?  (I have had notoriously bad luck with firmware updates on the S-Series M4 and M5 servers in the past).

4. Instead of the firmware update, is there a work around?

 

Thank you

Labels:
0 Helpful
4 Replies 4

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-11-2022 01:35 PM

@GeorgePerkins0204 wrote:

1. Which article is correct?

The Security Bulletin, of course.

0 Helpful

GeorgePerkins0204
Level 1
Level 1

‎01-11-2022 02:02 PM

Leo, If I knew the answer before I posted, then "of course" would have been meaningful. One link is a bug opened specifically to address the security bulletin. The bug says it is fixed. The security bulletin links to the bug but says it is not fixed yet. The bug links to the bulletin. This circular logic without meaningful context is just not useful. Hence my question.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to GeorgePerkins0204

‎01-11-2022 03:17 PM

Information found in Bug IDs are rarely updated and rarely contain accurate/reliable information. 

Security Bulletins, however, are different.  Because Security Bulletin tends to be more "visible" (not just to the customer but to the media), the information in Security Bulletin tends to be more accurate and updated more frequently with relevant information.

GeorgePerkins0204
Level 1
Level 1

‎01-12-2022 06:30 AM

qRuKNEbd is being updated daily, and as of today, the link to the CIMC status still shows back-dated to 23 Dec 2021, which means qRuKNEbd is not consistent with the CSCwa47307 (showing as updated 11 Jan 2022, although I cannot detect any changes to the content there). CSCwa47307 is indicating the Log4j vulnerability CVE-2021-44228 is fixed by firmware version 2.3(2.1).  So in this case, it appears the bug is more up-to-date than the security bulletin.  

 

My question, given the inconsistencies between the two guidance documents still stands. Which do I trust and how painful is this firmware update likely to be (past experience suggests very painful). Anyone out there installed the 2.3(2.1) firmware on their C-series or S-series UCS servers yet? 

0 Helpful
Customers Also Viewed These Support Documents