Apache Log4j Product Bulletin
Quantum is aware of the recent Common Vulnerabilities and Exposures (CVE) database entry regarding the open-source Apache Log4j utility and is actively monitoring the issue and evaluating its impact on Quantum products. Product-specific information is provided below. If you need additional details or help, please contact the Quantum Support Team for assistance.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open source, Java-based logging utility widely used by enterprise applications and cloud services.
The full text of the Apache Log4j CVE is available at https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
Unaffected Quantum Products
The following Quantum-supported products are currently expected to be unaffected by the vulnerability as they do not use impacted versions of the Log4j code. This list may be updated as more information is available.
- ActiveScale (X100/P100/X200)
- Cloud Based Analytics
- DXi (4700/4800/6900/6900S/9x00/V5000)
- F-Series (F1000/F2000)
- H-Series (H2000/H4000)
- LTO Drives
- Pivot3 Products (V3-Series/V5-Series/X3-Series)
- QXS (6G/12G)
- Scalar (i3/i6/i2000/i6000/i500/i40/i80/24/50/100/1K/10K)
- Scalar iBlade (LTFS NAS Blade/Windows Application Blade)
- Scalar Key Manager
- Scalar LTFS
- Standalone LTFS
- Storage Care Guardian Client
- StorNext Appliances (M-Series, G300, Artico, Xcellis Workflow Director, Xcellis Workflow Extender, Pro Foundation)
- StorNext Software (File System, StorNext 7 Unified UI, FlexSync, Appliance Controller and NAS, Connect, StorNext 6 GUI)
Product Specific Notes: StorNext
The StorNext GUI uses Log4j 1.2.15 which is not impacted by the Critical CVE-2021-44228. Version 1.2.15 has a recently reported moderate vulnerability CVE-2021-4104 when configured in a non default matter. The StorNext GUI use of Log4j is not configured as described in CVE-2021-4104 and is therefore not expected to be vulnerable to CVE-2021-4104.
Vulnerable Quantum Products
Based on information currently available, no Quantum products are currently expected to be vulnerable to the Apache Log4j CVE. This section may be updated as more information is available.
More information is available from the following resources:
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version 2150-address-critical-rce
In North America, call 1-800-284-5101. In EMEA, call toll free +800-7826-8888 or direct +49 6131 324 185. In Asia Pacific, call +800-7826-8887. You will need your system serial number. For additional contact information, click here.