cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17349
Views
15
Helpful
11
Replies

Log 4j vulnerabilities in UCS?

DeltaDentalUCS
Level 1
Level 1

I am going through the Cisco Security Advisory that was updated last week: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021 and I see that UCS Central and UCS Manager are listed with Bug IDs CSCwa33066 and CSCwa33718, respectively.  When I follow those links, I get a message that I don't have access to these bugs with my login.  Do we have any information on how this vulnerability affects these products?  Which versions should we be running to mitigate the vulnerabilities?  I can't be the only one asking this question.  Thanks!

1 Accepted Solution

Accepted Solutions

Kirk J
Cisco Employee
Cisco Employee

The UCSM, CIMC, HX products are not impacted because the log4j version used in those is not impacted by this CVE.

The specific info for the aforementioned products should become visible in the next day or so, including CSCwa47302 (specific to UCSM).

 

For vcenter appliance (something in your environment that probably is impacted), see https://kb.vmware.com/s/article/87081.

 

Kirk...

View solution in original post

11 Replies 11

Kirk J
Cisco Employee
Cisco Employee

The UCSM, CIMC, HX products are not impacted because the log4j version used in those is not impacted by this CVE.

The specific info for the aforementioned products should become visible in the next day or so, including CSCwa47302 (specific to UCSM).

 

For vcenter appliance (something in your environment that probably is impacted), see https://kb.vmware.com/s/article/87081.

 

Kirk...

Kirk, thanks so much for your prompt response!  We will keep an eye out for when that bug report comes out. 

Is that assuming that we are on the latest version of everything for those devices?  i.e. if we had CIMCs, UCS, HX that are on the same platform/firmware version they shipped with, could they be vulnerable

 

 

No. The version does not matter regarding Log4j.

UCS devices (UCSM, CIMC) are NOT vulnerable to the Log4j vulnerability because they do NOT use Log4j.

HX does use Log4j, but uses Log4j1 which is NOT vulnerable instead of the vulnerable Log4j2.

Some UCS software does use the vulnerable Log4j versions so check the Log4j page.

 

Why are you asking about Log4j using the HTTPD link?

Did the Log4j email go out with the HTTPD link?

Not sure what you are referring to with the HTTPD link.  I found this through a google search for CIMC log4j.  

The original poster titled the post:

Log 4j vulnerabilities in UCS?
And links to Apache HTTPD notice:
Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
 
But the Apache Log4j notice is link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

 

These are two distinct issues with software from Apache.

Just trying to make sure the correct information is provided for the correct issue.

Thanks for the clarification, Steven.  Much appreciated.

Is UCS Central affected by this?  

Tapper
Level 1
Level 1
Here is the link for the log 4j vulnerability:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
You should be able to get to this one. I did try the Bug IDs you gave and I cannot access them either.
Tom

rablake
Level 1
Level 1

I see that Cisco Intersight Virtual Appliance is listed as vulnerable.  Is that the standalone version for environments airgapped from the Internet, the Intersight assistant, or both?  It's not clear.

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card