SA ID:DHCC-SA-202112-001
First Published:2021-12-15
Summary:
Since December 9, 2021, remote code execution vulnerabilities identified as CVE-2021-44228, CVE-2021-45046、CVE-2021-44832 and denial of service vulnerability identified as CVE-2021-45105 have been discovered in the Apache Log4j Java logging library,affecting all versions of Log4j prior to v2.17.1. Some Dahua DSS products are affected, and we have updated the Log4j library for all affected products to version v2.17.1.
We will follow up on the development of this vulnerability and provide update when more information is available.
Common Vulnerabilities and Exposures(CVE ID):
Null
Vulnerability Score:
The vulnerability classification has been performed by using the CVSS v3.1 scoring system (http://www.first.org/cvss/specification-document).
CVE-2021-44228
Base Score:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Temporal Score:9.0 (E:P/RL:O/RC:C)
CVE-2021-45046
Base Score:9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Temporal Score:8.1 (E:U/RL:O/RC:C)
CVE-2021-45105
Base Score:7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Temporal Score:6.7 (E:P/RL:O/RC:C)
CVE-2021-44832
Base Score:6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Temporal Score:5.9 (E:P/RL:O/RC:C)
Affected Products & Fix Software:
The following product series and models are currently known to be affected:
Affected Model | Affected Version | Fix Software |
DSS Express | V8.000.0000002.0.R.20210506 V8.000.0000003.0.R.20210729 V8.000.0000004.0.R.20211119 | General_DSS-Windows_Patch_Installer_V1.001.0000003.0.R.20211230.zip |
DSS Pro | V7.002.0000005.0.R.20200414 V7.002.0000005.1.R.20200703 V7.002.0000005.2.R.20201223 V8.000.0000002.0.R.20210506 V8.000.0000003.0.R.20210729 V8.000.0000004.0.R.20211119 | |
DSS4004-S2 | V8.000.0000002.0.R.20210728 | General_DSS-Linux_Patch_Installer_V1.001.0000003.0.R.20211230.zip |
DSS7016D-S2 |
Note: Please refer to the operation guidance to comfirm the version information and Build Time after downloading the patch package.
Products Confirmed Not Vulnerable:
These products below are not affected by this vulnerability:
Product Model | Confirmed Result |
IPC | Not Vulnerable |
HDCVI | |
PTZ | |
ITC | |
NVR | |
DVR | |
Storage | |
Video Intercoms | |
Access Control & Time Attendance | |
Alarms | |
IVS |
Fix Software Download:
Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.
l Dahua Official Website: Overseas: https://software.dahuasecurity.com/en/download
l Dahua Technical Support Personnel
Support Resources:
For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.
Update Record:
2021-12-31 UPDATE v1.2 Add CVE-2021-44832, Update the section of Affected Products & Fix Software
2021-12-21 UPDATE v1.1 Update the affected products & fix software
2021-12-15 INITIAL v1.0