Security Advisory – Vulnerabilities Found in Apache Log4j Library Affecting Some Dahua Products

2547

SA IDDHCC-SA-202112-001

First Published2021-12-15

Summary:

Since December 9, 2021, remote code execution vulnerabilities identified as CVE-2021-44228, CVE-2021-45046、CVE-2021-44832 and denial of service vulnerability identified as CVE-2021-45105 have been discovered in the Apache Log4j Java logging libraryaffecting all versions of Log4j prior to v2.17.1. Some Dahua DSS products are affected, and we have updated the Log4j library for all affected products to version v2.17.1.


We will follow up on the development of this vulnerability and provide update when more information is available.

Common Vulnerabilities and ExposuresCVE ID:

Null

Vulnerability Score

The vulnerability classification has been performed by using the CVSS v3.1 scoring system (http://www.first.org/cvss/specification-document).

CVE-2021-44228

Base Score:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score:9.0 (E:P/RL:O/RC:C)


CVE-2021-45046

Base Score:9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score:8.1 (E:U/RL:O/RC:C)


CVE-2021-45105

Base Score:7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Temporal Score:6.7 (E:P/RL:O/RC:C)

CVE-2021-44832

Base Score:6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Temporal Score:5.9 (E:P/RL:O/RC:C)

Affected Products & Fix Software

The following product series and models are currently known to be affected:

Affected Model

Affected Version

Fix Software

DSS Express

V8.000.0000002.0.R.20210506

V8.000.0000003.0.R.20210729

V8.000.0000004.0.R.20211119

General_DSS-Windows_Patch_Installer_V1.001.0000003.0.R.20211230.zip

DSS Pro

V7.002.0000005.0.R.20200414

V7.002.0000005.1.R.20200703

V7.002.0000005.2.R.20201223

V8.000.0000002.0.R.20210506

V8.000.0000003.0.R.20210729

V8.000.0000004.0.R.20211119

DSS4004-S2

V8.000.0000002.0.R.20210728

General_DSS-Linux_Patch_Installer_V1.001.0000003.0.R.20211230.zip

DSS7016D-S2

Note: Please refer to the operation guidance to comfirm the version information and Build Time after downloading the patch package.


Products Confirmed Not Vulnerable

These products below are not affected by this vulnerability:

Product Model

Confirmed Result

IPC

Not Vulnerable

HDCVI

PTZ

ITC

NVR

DVR

Storage

Video Intercoms

Access Control & Time Attendance

Alarms

IVS


Fix Software Download

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

l  Dahua Official Website: Overseas: https://software.dahuasecurity.com/en/download

l  Dahua Technical Support Personnel

 

Support Resources

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.


Update Record

2021-12-31  UPDATE  v1.2 Add CVE-2021-44832, Update the section of Affected Products & Fix Software

2021-12-21  UPDATE  v1.1 Update the affected products & fix software

2021-12-15 INITIAL  v1.0