Log4J Security Update

SUMMARY
Several critical and high severity vulnerabilities have been identified in version 1.2 of Log4J that is shipped with the Quantum
(Pivot3) VS Management Application for use with the Acuity storage OS in Hyperconverged Infrastructure deployments. This
security update addressesthe following vulnerabilities by updating Log4J to version 2.18.0.

CVE-2019-17571 (Critical)
          o Certain version of Bookeeper from Apache included in Log4j 1.2 is vulnerable to deserialization of untrusted data
CVE-2021-4104(High)
          o JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when attacker has write access to Log4j
configuration
CVE-2022-23302 (High)
          o JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write
access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

CVE-2022-23305 (Critical)
          o Attackers can cause unintended SQL queries to be executed if Log4J is configured to use the JDBCAppender, which is
not the default.
CVE-2022-23307 (High)
          o A deserialization issue that was present in Apache Chainsaw is a component of Apache Log4j 1.2.x.

NOTE: These vulnerabilities abovedo not contain the Log4Shell exploit and is not related to the previously released Security
Bulletin:

• Apache Log4j Product Bulletin https://www.quantum.com/en/service-support/security-bulletins/log4j/

VULNERABLE QUANTUM PRODUCTS
Versions of the following Quantum products are known to be vulnerable.

• All versions of vSTAC Manager
• All versions of VS Management Application, standalone Windows application before 10.9.0.c52f8347
• All versions of VS Management Application, VMware vCenter Plugin before 10.9.0.c52f8347

How can I tell what my version is on both the Standalone and Plugin applications?
• You can determine the version of the VS Management Application by launching the application and looking at the
version on the login page.

IMPACT
Although the VS management application does not make use ofthe Log4J features that directly expose the vulnerabilities listed
above, itis possible these capabilitiesmay be vulnerable to deserialization of untrusted data if an attacker gained access to the
system which is running an application with the older Log4j 1.2library.

Installing/uninstalling the VS Management Application or vSTAC Manager during this upgrade process will not impact the
operation of the vPG. All virtual machines and storage should remain online and operational throughout the upgrade process.

SOLUTION
Users running the VS Management Application or vSTAC Manager should upgrade to the latest version of the VS Management
Application which can be downloaded from the support portal:

https://portal.pivot3.com/s/article/Acuity-10-9-0-Software-Platform

Users can verify the executable downloaded from Quantum is authentic by calculating the SHA265 checksum on the file that we
provide next to the download.
After upgrading the version will update on the login screen of the application. Ensure you are running version 10.9.0. c52f8347or
later:

 

REFERENCES

https://portal.pivot3.com/s/article/Acuity-10-9-0-Software-Platform
https://portal.pivot3.com/s/article/Acuity-10-9-0-Setup-and-User-Guide
https://cve.report/CVE-2019-17571
https://cve.report/CVE-2021-4104
https://cve.report/CVE-2022-23302
https://cve.report/CVE-2022-23305
https://cve.report/CVE-2022-23307

CONTACT INFORMATION
In North America, call 1-800-284-5101. In EMEA, call toll free +800-7826-8888 or direct +49 6131 324 185. In Asia Pacific, call
+800-7826-8887. You will need your system serial number. For additional contact information, go to
http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support