|
February 2022 |
|
Storage Management Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Question: Is maxView impacted by the Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)?
Background:
On 9th December 2021, a new zero-day vulnerability for Apache Log4j was reported. It is by now tracked under: CVE-2021-44228.
The vulnerability resides in the Log4J’s lookup capability in
combination with JNDI (Java Naming and Directory Interface). Apache
Log4j2 JNDI features do not protect against attacker-controlled LDAP and
other JNDI related endpoints. An attacker who can control log messages
or log message parameters can execute arbitrary code loaded from LDAP
servers when message lookup substitution is enabled.
The vulnerability has the Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Is maxView impacted?
CVE-2021-44228 has been determined to impact maxView GUI via the
Apache Log4j open-source component it ships. maxView uses log4j 2.14.0
framework for logging tomcat webserver logs and it falls under the
impacted product list. Though maxView doesn’t uses or exposes JNDI
features, the lookup capability is not disabled by default in the log4J
that gets shipped with maxView package.
Mitigation Plan:
Engineering is currently providing a tested manual patch for 8
Series Controllers and a tested patched maxView Version for SmartRaid
Controllers. Please select to be notified when this article is updated
(please make sure you are signed into your Microchip account).
For all SmartRaid x100 and x200 Controllers, please download the patch maxView Version v24713 (with 2.16.0) on the download page for your controller, HERE.
A new patch maxView Version with 2.17.1. is scheduled to be released in February 2022.
For Series 8 Controllers, please use one of the manual options below.
Option 1:
Follow the steps below for Windows OS:
- Download the latest Apache Log4J Binary zip, here
- Extract log4j-core-2.17.x.jar and log4j-api-2.17.x.jar from apache-log4j-2.17.x-bin.zip
- Copy log4j-core-2.17.x.jar and log4j-api-2.17.x.jar under
“C:\Program Files\Adaptec\maxView Storage
Manager\apache-tomcat\webapps\maxview\WEB-INF\lib”
- Stop the maxViewWebServer service
- Delete the older log4j-core-2.14.0.jar and log4j-api-2.14.0.jar
under C:\Program Files\Adaptec\maxView Storage
Manager\apache-tomcat\webapps\maxview\WEB-INF\lib
- Start the maxViewWebServer service
Follow the steps below for Linux OS:
- Download the latest Apache Log4J Binary zip, here
- Extract log4j-core-2.17.X.jar and log4j-api-2.17.X.jar from apache-log4j-2.17.X-bin.zip
- Copy log4j-core-2.17.X.jar and log4j-api-2.17.X.jar under “/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib”
- Execute “service stor_tomcat stop” to stop the maxViewWebServer service
- Delete the older log4j-core-2.14.0.jar and log4j-api-2.14.0.jar under “/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib”
- Execute “service stor_tomcat start” to start the maxViewWebServer service
Option 2: (Need zip command line tool)
- Stop the maxViewWebServer service
- Open the command prompt
- Change the directory to C:\Program Files\Adaptec\maxView Storage Manager\apache-tomcat\webapps\maxview\WEB-INF\lib
- Execute “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”
- Start the maxViewWebServer service
Please see the source article link for the most up to date information.
Source: https://ask.adaptec.com/app/answers/detail/a_id/17523/~/storage-management-response-to-apache-log4j-remote-code-execution-vulnerability
|
|
|
February 2022 |
Compucon Physical Security Project Team
The PC is not dead and has evolved. A smartphone is a PC in the palm. An EV is a computer server on 4 wheels. A data centre in the cloud consists of thousands of PC under one roof. A safety and security system for an organization is a PC. Who says PC is dead? Many people said so as they did not use a PC anymore. In reality, they use PCs not looking like a PC without knowing!
Many homes and small companies have installed surveillance cameras with a recorder. The truth is that the recorder is a PC, and each camera is a PC. These people may have installed remote door lock access control. These locks are either standalone or they are connected to the Cloud. The truth is that modern door locks involve a PC, and the Cloud is definitely formed from PCs.
A newish and upmarket apartment building in Auckland was equipped with surveillance cameras and access control door locks when the building was constructed. It did have a PC in its manager's office for viewing security information. Owners and residents found after two years of living there that the installed equipment had gaps. They called for extensions of capacity. PC is extensible although there is a limit which is normally far beyond the needs of a small and medium company. To the surprise of the building
Return to Technology Park
owners, offers of extension from their existing suppliers and installers were not economical at all. At last, the building owners block called Compucon to provide a separate system based on PC for 17 more cameras, 2 access control door locks, and 1 carpark gate controller to work in parallel (unrelated) with the existing equipment. Just over 12 months have elapsed. Time so far has proven that this PC system has a higher level of quality than the previously installed equipment, easier to manage, and cheaper to operate and maintain. An example is that a vehicle RFID (radio frequency identity) tag to be affixed to the windscreen from Compucon is about 1/7 of the cost of a thumb controller from an experienced installer. The building committee members have been extremely pleased with the entire process and outcomes of involving this new chap on the block.
|
|
|
February 2022 |
Compucon Physical Security Project Team
The PC is not dead and has evolved. A smartphone is a PC in the palm. An EV is a computer server on 4 wheels. A data centre in the cloud consists of thousands of PC under one roof. A safety and security system for an organization is a PC. Who says PC is dead? Many people said so as they did not use a PC anymore. In reality, they use PCs not looking like a PC without knowing!
Many homes and small companies have installed surveillance cameras with a recorder. The truth is that the recorder is a PC, and each camera is a PC. These people may have installed remote door lock access control. These locks are either standalone or they are connected to the Cloud. The truth is that modern door locks involve a PC, and the Cloud is definitely formed from PCs.
A newish and upmarket apartment building in Auckland was equipped with surveillance cameras and access control door locks when the building was constructed. It did have a PC in its manager's office for viewing security information. Owners and residents found after two years of living there that the installed equipment had gaps. They called for extensions of capacity. PC is extensible although there is a limit which is normally far beyond the needs of a small and medium company. To the surprise of the building
Return to Technology Park
owners, offers of extension from their existing suppliers and installers were not economical at all. At last, the building owners block called Compucon to provide a separate system based on PC for 17 more cameras, 2 access control door locks, and 1 carpark gate controller to work in parallel (unrelated) with the existing equipment. Just over 12 months have elapsed. Time so far has proven that this PC system has a higher level of quality than the previously installed equipment, easier to manage, and cheaper to operate and maintain. An example is that a vehicle RFID (radio frequency identity) tag to be affixed to the windscreen from Compucon is about 1/7 of the cost of a thumb controller from an experienced installer. The building committee members have been extremely pleased with the entire process and outcomes of involving this new chap on the block.
|
|
|
February 2022 |
Frequently Asked Questions
- Can I use my PC as the Security PC? Not recommended. Read the explanations below.
- Can I use a spare PC as the Security PC? Unlikely a good idea. Read the explanations below.
- Can I buy a new PC to serve as the Security PC? Maybe. Read the explanations below.
- Can I use the Security PC for my works? Not recommended. Read the explanations below.
- Why is Compucon PC a better choice than other brands of PC for Security System?
- Compucon Security Systems use Compucon PC as the server for many reasons. First, a Security System must be reliable, responsive, extensible over time, secured, compatible with open industry standard compliant hardware and software. Not all PCs that are sold in shops or online comply with these requirements. Second, Compucon is a PC maker for 30 years by 2022-05-01. Compucon PC has been made under ISO-9001 quality management standard since 1995, and Compucon PC has been well-credited in the business market for being amongst the most reliable computers. Third, every security system is different, and every site has different requirements (although the concept for security is the same). One shoe does not fit all feet. It is alright to buy a large shoe to fit all feet to cover the growth of the feet. Human feet have one form only, but security feet have many different forms such as video surveillance, access control, and intrusion alarming. Compucon is licensed to design security systems whereas not many other people are. Compucon is licensed to design security systems and is certified to ISO-9001 quality management standard for PC production. Not many other people are.
- Security systems are a serious piece of asset for an organization. All activities related to the security system have to be recorded and interface with the outside world has to be tightly controlled. If the security system is used for other purposes not designed for the system, it is highly likely that the security of the system will be compromised, and some security protection activities sacrificed.
Return to Technology Park
|
|
|
February 2022 |
Frequently Asked Questions
- Can I use my PC as the Security PC? Not recommended. Read the explanations below.
- Can I use a spare PC as the Security PC? Unlikely a good idea. Read the explanations below.
- Can I buy a new PC to serve as the Security PC? Maybe. Read the explanations below.
- Can I use the Security PC for my works? Not recommended. Read the explanations below.
- Why is Compucon PC a better choice than other brands of PC for Security System?
- Compucon Security Systems use Compucon PC as the server for many reasons. First, a Security System must be reliable, responsive, extensible over time, secured, compatible with open industry standard compliant hardware and software. Not all PCs that are sold in shops or online comply with these requirements. Second, Compucon is a PC maker for 30 years by 2022-05-01. Compucon PC has been made under ISO-9001 quality management standard since 1995, and Compucon PC has been well-credited in the business market for being amongst the most reliable computers. Third, every security system is different, and every site has different requirements (although the concept for security is the same). One shoe does not fit all feet. It is alright to buy a large shoe to fit all feet to cover the growth of the feet. Human feet have one form only, but security feet have many different forms such as video surveillance, access control, and intrusion alarming. Compucon is licensed to design security systems whereas not many other people are. Compucon is licensed to design security systems and is certified to ISO-9001 quality management standard for PC production. Not many other people are.
- Security systems are a serious piece of asset for an organization. All activities related to the security system have to be recorded and interface with the outside world has to be tightly controlled. If the security system is used for other purposes not designed for the system, it is highly likely that the security of the system will be compromised, and some security protection activities sacrificed.
Return to Technology Park
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 19 - 27 of 2511 |
