Apache Log4j Vulnerability
Apache Log4j Vulnerability
Apache Log4j Vulnerability
Lenovo Security Advisory: LEN-76573
Potential Impact: Remote code execution, denial of service
Severity: Critical
Scope of Impact: Industry-wide
CVE Identifier: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832
Summary Description:
Log4j v1.x is vulnerable to a variant of CVE-2021-44228, identified as CVE-2021-4104. This Log4j v1.x variant his different exposure, exploitability, and severity than the initial Log4j v2.x vulnerability. Log4j v1.x is not reported to be vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, or CVE-2021-44832.
Log4j v2.x is vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Log4j v2.x is not reported to be vulnerable to CVE-2021-4104.
Mitigation Strategy for Customers (what you should do to protect yourself):
See the Product Impact section below for Affected components and their fix versions or mitigation guidance as well as a list of Not Affected components (not exhaustive).
Product Impact:
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Click below links to view affected components:
Click here for a list of Not Affected components
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
https://security-tracker.debian.org/tracker/CVE-2021-44228
Nutanix advisory - https://download.nutanix.com/alerts/Security_Advisory_0023.pdf
NetApp advisories
- https://www.netapp.com/newsroom/netapp-apache-log4j-response/
- https://security.netapp.com/advisory/ntap-20211210-0007/
- https://security.netapp.com/advisory/ntap-20211215-0001/
- https://security.netapp.com/advisory/ntap-20211218-0001/
Revision History:
Revision |
Date |
Description |
26 | 2023-06-14 | Corrected CVE typo "CVE-2021-4510" to "CVE-2021-45105" |
25 | 2022-02-07 | Updated Storage, ThinkAgile |
24 | 2022-02-02 | Updated Not Affected |
23 | 2022-01-26 | Updated System x |
22 | 2022-01-19 | Updated Not Affected, System x, ThinkAgile |
21 | 2022-01-14 | Updated ThinkAgile |
20 | 2022-01-12 | Updated Summary Description, Mitigation Strategy, Not Affected |
19 | 2022-01-11 | Updated Not Affected |
18 | 2022-01-10 | Updated Not Affected,Network Switches, Storage, System x |
17 | 2022-01-07 | Updated Software |
16 | 2022-01-06 | Updated Not Affected, System x |
15 | 2022-01-05 | Updated Software, ThinkStation |
14 | 2022-01-04 | Updated Software, ThinkStation, ThinkSystem |
13 | 2021-12-29 | Updated Summary Description and Product Impact with CVE-2021-44832 |
12 | 2021-12-22 | Updated Not Affected and References |
11 | 2021-12-21 | Updated Summary Description with clarity around log4j 1.x and 2.x. Updated Storage, System x |
10 | 2021-12-20 | Added CVE-2021-4104 and updated Product Impact - Software, Storage, System x, ThinkAgile, Not Affected |
9 | 2021-12-19 | Added CVE-2021-45105 and updated Product Impact to include CVE-2021-45105 |
8 | 2021-12-17 | Updated Product Impact section - Networking Switches, Software, Storage, Not Affected |
7 | 2021-12-16 | Updated Product Impact section to include target availability for fixes |
6 | 2021-12-15 | Updated Product Impact section |
5 | 2021-12-14 | Removed Java version reference for LXCA and LXCI for VMware vCenter |
4 | 2021-12-14 | Updated Product Impact section |
3 | 2021-12-13 | Updated Product Impact section |
2 | 2021-12-13 | Added Mitigation Strategy, References, and Product Impact sections |
1 | 2021-12-13 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Affected
Please note that the Components listed below are affected. Products listed below are not affected if they are not utilizing the vulnerable Component.
Product | Component | CVE-2021-44228, CVE-2021-45046 | CVE-2021-45105 | CVE-2021-44832 |
Lenovo DSS-G | Lenovo DSS-G (only GUI affected) | See https://hpc.lenovo.com/dssg/dssg-log4j.html for risk exposure, resolution and mitigations | See https://hpc.lenovo.com/dssg/dssg-log4j.html for risk exposure, resolution and mitigations | Not Affected |
Lenovo XClarity Administrator | Lenovo XClarity Administrator (LXCA) | 3.4.5 | Not Affected | Not Affected |
Lenovo XClarity Administrator | Lenovo XClarity Administrator Virtual Appliance Full Image (For KVM) | 3.4.5 | Not Affected | Not Affected |
Lenovo XClarity Administrator | Lenovo XClarity Administrator Virtual Appliance Full Image (For VMWare) | 3.4.5 | Not Affected | Not Affected |
Lenovo XClarity Administrator | Lenovo XClarity Administrator Virtual Appliance Full Image (For Windows) | 3.4.5 | Not Affected | Not Affected |
Lenovo XClarity Energy Manager | Lenovo XClarity Energy Manager (LXEM) | 3.3.0 | Not Affected | Not Affected |
Lenovo xClarity Integrator | Lenovo XClarity Integrator (LXCI) for VMware vCenter | 7.5.0 | Not Affected | Not Affected |
Product | Component | CVE-2021-4104 (log4j 1.x) | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 (log4j 2.x) |
Compute Node - nx360 M5 (NeXtScale) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - nx360 M5 (NeXtScale) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - nx360 M5 water-cooled (NeXtScale) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x240 (Flex) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x240 (Flex) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x240 M5 (Flex) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x240 M5 (Flex) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x280 X6 (Flex) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x280 X6 (Flex) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x440 (Flex) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x440 (Flex) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x480 X6 (Flex) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x480 X6 (Flex) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x880 X6 (Flex) | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Compute Node - x880 X6 (Flex) | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3500 M5 | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3500 M5 | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3550 M5 | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3550 M5 | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3650 M5 | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3650 M5 | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3750 M4 | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3750 M4 | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3850 X6 | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3850 X6 | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3950 X6 | MegaRAID Storage Manager for Linux - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
System x3950 X6 | MegaRAID Storage Manager for Microsoft Windows - Lenovo x86 Servers | 17.05.06.00-0 | Not Affected |
Product | Component | CVE-2021-44228, CVE-2021-45046 | CVE-2021-45105 | CVE-2021-44832 |
CP4000 (ThinkAgile) | ThinkAgile CP-Management Web Console | All ThinkAgileCP customers have been updated | All ThinkAgileCP customers have been updated | All ThinkAgileCP customers have been updated |
CP6000 (ThinkAgile) | ThinkAgile CP-Management Web Console | All ThinkAgileCP customers have been updated | All ThinkAgileCP customers have been updated | All ThinkAgileCP customers have been updated |
SAP Solutions | ThinkAgile HX - VMware Components | https://www.vmware.com/security/advisories/VMSA-2021-0028.html | Not Affected | Not Affected |
SAP Solutions | ThinkAgile VX - VMware Components | https://www.vmware.com/security/advisories/VMSA-2021-0028.html | Not Affected | Not Affected |
ThinkAgile HX | VMware Components | https://www.vmware.com/security/advisories/VMSA-2021-0028.html | Not Affected | Not Affected |
ThinkAgile VX | VMware Components | https://www.vmware.com/security/advisories/VMSA-2021-0028.html | Not Affected | Not Affected |
Product | Component | CVE-2021-44228, CVE-2021-45046 | CVE-2021-45105 | CVE-2021-44832 |
P920 Rack Workstation (ThinkStation) | Lenovo XClarity Energy Manager (LXEM) | 3.3.0 | Not Affected | Not Affected |
Product | Component | CVE-2021-44228, CVE-2021-45046 | CVE-2021-45105 | CVE-2021-44832 |
SR530 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR530 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR530 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR550 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR550 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR550 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR570 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR570 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR570 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR590 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR590 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR590 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR630 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR630 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR630 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR630 V2 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR630 V2 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR630 V2 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR645 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR645 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR645 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR650 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR650 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR650 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR650 V2 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR650 V2 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR650 V2 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR665 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR665 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR665 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR850 V2 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR850 V2 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR850 V2 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
SR860 V2 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
SR860 V2 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
SR860 V2 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
ST550 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
ST550 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
ST550 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
ST558 (ThinkSystem) | storman command line tool (For Linux) | 24713 | Not Affected | Not Affected |
ST558 (ThinkSystem) | storman command line tool (For VMWare) | 24713 | Not Affected | Not Affected |
ST558 (ThinkSystem) | storman command line tool (For Windows) | 24713 | Not Affected | Not Affected |
Not Affected
Any 5594 UPS unit
Any 5595 UPS unit
BIOS/UEFI
Confluent
Core OEM (for Zoom/Teams/Partner solutions)Eaton UPS Network Management Card (NMC)
Embedded System Management Java-based KVM clients
Fan Power Controller (FPC)
Fan Power Controller2 (FPC2)
Google Series One Kits (Small, Medium, Large)IBM Advanced Management Module (AMM)
IBM LCM8 Local Console Managers, 1754-A1X
IBM LCM16 Local Console Managers, 1754-A2X
IBM GCM16 Global Console Managers, 1754-D1X
IBM GCM32 Global Console Managers, 1754-D2X
Integrated Management Module II (IMM2)
Lenovo and IBM V-series Storage (including V1, Storwize, and V2)
Lenovo Cloud Deploy
Lenovo Device Intelligence (LDI)
Lenovo Dock Manager
Lenovo Dynamic System Analysis (DSA)
Lenovo LCM8 Local Console Managers, 1754-A1X
Lenovo LCM16 Local Console Managers, 1754-A2X
Lenovo GCM16 Global Console Managers, 1754-D1X
Lenovo GCM32 Global Console Managers, 1754-D2X
Lenovo Migration Assistant
Lenovo Patch for MEM
Lenovo SAP Solutions - Components other than ThinkAgile VX
Lenovo Scaling Utility
Lenovo System Update
Lenovo Thin Installer
Lenovo Thinclient Manager (LTM)
Lenovo ThinkSystem Digital 2x1x16 KVM Switch, 1754-D1T
Lenovo Update Retriever
Lenovo UPS Network Management Card, p/n 46M4110
Lenovo UPS Power Manager for Virtual Appliances, any release
Lenovo UPS Power Manager for Microsoft Windows, any release
Lenovo UPS Power Protector for Linux, any release
Lenovo UPS Power Protector for Microsoft Windows
Lenovo Vantage
Lenovo XClarity Orchestrator (LXCO)
Lenovo XClarity Mobile (LXCM) (Android and IOS)
Lenovo XClarity Integrator (LXCI) for Windows Admin Center
Lenovo XClarity Integrator (LXCI) for Microsoft System Center
Lenovo XClarity Integrator (LXCI) for ServiceNow
Lenovo XClarity Integrator (LXCI) for Nagios
Lenovo XClarity Integrator (LXCI) for Microsoft Azure Analytics
Lenovo XClarity Controller (XCC)
Lenovo XClarity Essentials (LXCE)
Lenovo XClarity Provisioning Manager (LXPM)
LeTOS
LSI Storage Authority
MegaCLI
Network Switches running
- Lenovo CNOS
- Lenovo ENOS
- IBM ENOS
- Brocade FOS
StorCLI
Switched and Monitored PDUs
- 1U 9 C19/3 C13 Switched and Monitored DPI PDU, 46M4002
- 1U 9 C19/3 C13 Switched and Monitored 60A 3-phase PDU, 46M4003
- 1U 12 C13 Switched and Monitored DPI PDU, 46M4004
- 1U 12 C13 Switched and Monitored 60A 3-phase PDU, 46M4005
System Management Module (SMM)
System Management Module 2 (SMM2)
ThinkAgile HX
- Nutanix Components Not Affected - See Nutanix advisory listed under References section
- Hardware Not Affected
ThinkAgile VX
- Hardware Not Affected
ThinkShield Edge Mobile Management (Android and IOS)
ThinkSmart Hub500
ThinkSmart Hub60/HubG2
ThinkSmart Core (Core + Controller and Core Full Room Kit)
ThinkSmart View
ThinkSmart Cam
ThinkSmart Bar and BarXL
ThinkSmart Manager (and associated iOS and Android mobile apps)
ThinkSystem 2x1x16 Digital KVM Switch - Type 1754D1T
ThinkSystem DE Series Storage - See NetApp advisories listed under References section
ThinkSystem DM Series Storage - See NetApp advisories listed under References section
ThinkSystem DS Series Storage
ThinkSystem Manager (TSM)
TET M920Q (for Zoom/Teams/Partner solutions)
Vertiv rPDUs for Lenovo
Your feedback helps to improve the overall experience