Solved: Re: Log 4j vulnerabilities in UCS?

DeltaDentalUCS · ‎12-13-2021

I am going through the Cisco Security Advisory that was updated last week: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 and I see that UCS Central and UCS Manager are listed with Bug IDs CSCwa33066 and CSCwa33718, respectively. When I follow those links, I get a message that I don't have access to these bugs with my login. Do we have any information on how this vulnerability affects these products? Which versions should we be running to mitigate the vulnerabilities? I can't be the only one asking this question. Thanks!

Kirk J · ‎12-13-2021

The UCSM, CIMC, HX products are not impacted because the log4j version used in those is not impacted by this CVE.

The specific info for the aforementioned products should become visible in the next day or so, including CSCwa47302 (specific to UCSM).

For vcenter appliance (something in your environment that probably is impacted), see https://kb.vmware.com/s/article/87081.

Kirk...

View solution in original post

Kirk J · ‎12-13-2021

The UCSM, CIMC, HX products are not impacted because the log4j version used in those is not impacted by this CVE.

The specific info for the aforementioned products should become visible in the next day or so, including CSCwa47302 (specific to UCSM).

For vcenter appliance (something in your environment that probably is impacted), see https://kb.vmware.com/s/article/87081.

Kirk...

DeltaDentalUCS · ‎12-13-2021

Kirk, thanks so much for your prompt response! We will keep an eye out for when that bug report comes out.

james.cherrybon · ‎12-14-2021

Is that assuming that we are on the latest version of everything for those devices? i.e. if we had CIMCs, UCS, HX that are on the same platform/firmware version they shipped with, could they be vulnerable

Steven Tardy · ‎12-14-2021

No. The version does not matter regarding Log4j.

UCS devices (UCSM, CIMC) are NOT vulnerable to the Log4j vulnerability because they do NOT use Log4j.

HX does use Log4j, but uses Log4j1 which is NOT vulnerable instead of the vulnerable Log4j2.

Some UCS software does use the vulnerable Log4j versions so check the Log4j page.

Why are you asking about Log4j using the HTTPD link?

Did the Log4j email go out with the HTTPD link?

james.cherrybon · ‎12-14-2021

Not sure what you are referring to with the HTTPD link. I found this through a google search for CIMC log4j.

Steven Tardy · ‎12-14-2021

The original poster titled the post:

Log 4j vulnerabilities in UCS?

And links to Apache HTTPD notice:

Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ

But the Apache Log4j notice is link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

These are two distinct issues with software from Apache.

Just trying to make sure the correct information is provided for the correct issue.

DeltaDentalUCS · ‎12-15-2021

Thanks for the clarification, Steven. Much appreciated.

robertdemay · ‎12-14-2021

Is UCS Central affected by this?

Steven Tardy · ‎12-14-2021

Under NOT vulnerable on page:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ

Cisco UCS Central Software

Tapper · ‎12-13-2021

Here is the link for the log 4j vulnerability:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
You should be able to get to this one. I did try the Bug IDs you gave and I cannot access them either.
Tom

rablake · ‎12-14-2021

I see that Cisco Intersight Virtual Appliance is listed as vulnerable. Is that the standalone version for environments airgapped from the Internet, the Intersight assistant, or both? It's not clear.