In order to ensure the highest levels of security for our users, both Open-E JovianDSS and Open-E DSS V7 have been checked for any possible vulnerabilities related to the Log4Shell exploit. Despite the fact that our products’ core systems don’t contain the affected Log4j Java library, we’ve conducted multiple tests to check if the 3rd party management tools (which are run in cases where the related hardware is installed on the server) have not been affected.
Our tests revealed as follows:
- The MaxView Storage Manager tool utilizes the Apache Log4j library and is affected by the exploit.
- The MegaRAID Storage Manager (MSM) utilizes the Apache Log4j library but none of our tests showed any indication of the library being affected by the exploit.
In order to minimize the risk, please ensure that your data storage setup is not connected to the Internet or is behind of a firewall.
Open-E safety measures:
- Open-E will release updates to Open-E JovianDSS and Open-E DSS V7 to disable the MaxView Storage Manager tool to help our customers protect their infrastructure as soon as possible.
- After that, Open-E will release an update for MaxView Storage Manager containing a security patch (more testing needed to ensure no further issues or compatibility problems).
More information about the updates will be sent in separate emails.
|