VS Management Application Log4J Security Update

SUMMARY

Several critical and high severity vulnerabilities have been identified in version 1.2 of Log4J that is shipped with the Quantum (Pivot3) VS Management Application for use with the Acuity storage OS in Hyperconverged Infrastructure deployments. This security update addresses the following vulnerabilities by updating Log4J to version 2.18.0. 

• CVE-2019-17571 (Critical)
• Certain version of Bookeeper from Apache included in Log4j 1.2 may be vulnerable to deserialization of untrusted data
• CVE-2021-4104 (High)
• JMSAppender in Log4j 1.2 may be vulnerable to deserialization of untrusted data when attacker has write access to Log4j configuration
• CVE-2022-23302 (High)
• JMSSink in all versions of Log4j 1.x may be vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker is able to access.
• CVE-2022-23305 (Critical)
• Attackers can cause unintended SQL queries to be executed if Log4J is configured to use the JDBCAppender, which is not the default.
• CVE-2022-23307 (High)
• A deserialization issue that was present in Apache Chainsaw is a component of Apache Log4j 1.2.x.

NOTE:  These vulnerabilities above do not contain the Log4Shell exploit and are not related to the previously released Security Bulletin: 

1. Apache Log4j Product Bulletin https://www.quantum.com/en/service-support/security-bulletins/log4j/

VULNERABLE QUANTUM PRODUCTS

These versions of the following Quantum products may be vulnerable if not updated:

• All versions of vSTAC Manager 
• All versions of VS Management Application, standalone Windows application before 10.9.0.c52f8347
• All versions of VS Management Application, VMware vCenter Plugin before 10.9.0.c52f8347

How can I tell what my version is on both the Standalone and Plugin applications?

You can determine the version of the VS Management Application by launching the application and looking at the version on the login page.

IMPACT

Although the VS management application does not make use of the Log4J features that directly expose the vulnerabilities listed above, it is possible these capabilities may be vulnerable to deserialization of untrusted data if an attacker gained access to the system which is running an application with the older Log4j 1.2 library.

Installing/uninstalling the VS Management Application or vSTAC Manager during this upgrade process will not impact the operation of the vPG.  All virtual machines and storage should remain online and operational throughout the upgrade process. 

SOLUTION

Users running the VS Management Application or vSTAC Manager should upgrade to the latest version of the VS Management Application which can be downloaded from the support portal:

https://portal.pivot3.com/s/article/Acuity-10-9-0-Software-Platform

Users can verify the executable downloaded from Quantum is authentic by calculating the SHA265 checksum on the file that we provide next to the download.

After upgrading the version will update on the login screen of the application. Ensure you are running version 10.9.0. c52f8347 or later:

REFERENCES

• https://portal.pivot3.com/s/article/Acuity-10-9-0-Software-Platform
• https://portal.pivot3.com/s/article/Acuity-10-9-0-Setup-and-User-Guide
• https://cve.report/CVE-2019-17571 
• https://cve.report/CVE-2021-4104 
• https://cve.report/CVE-2022-23302 
• https://cve.report/CVE-2022-23305 
• https://cve.report/CVE-2022-23307 

CONTACT INFORMATION

In North America, call 1-800-284-5101. In EMEA, call toll free +800-7826-8888 or direct +49 6131 324 185. In Asia Pacific, call +800-7826-8887. You will need your system serial number. For additional contact information, go to http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support

CREDITS

Quantum would like to acknowledge and thank the following contributors who reported the potential security issue which we are addressing in this bulletin:

• Big IT, Inc