Since December 9, 2021, remote code execution vulnerabilities identified as CVE-2021-44228, CVE-2021-45046、CVE-2021-44832 and denial of service vulnerability identified as CVE-2021-45105 have been discovered in the Apache Log4j Java logging library，affecting all versions of Log4j prior to v2.17.1. Some Dahua DSS products are affected, and we have updated the Log4j library for all affected products to version v2.17.1.
We will follow up on the development of this vulnerability and provide update when more information is available.
Common Vulnerabilities and Exposures（CVE ID）:
The vulnerability classification has been performed by using the CVSS v3.1 scoring system (http://www.first.org/cvss/specification-document).
Temporal Score：9.0 (E:P/RL:O/RC:C)
Base Score：9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Temporal Score：8.1 (E:U/RL:O/RC:C)
Base Score：7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Temporal Score：6.7 (E:P/RL:O/RC:C)
Base Score：6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Temporal Score：5.9 (E:P/RL:O/RC:C)
Affected Products & Fix Software：
The following product series and models are currently known to be affected：
Note: Please refer to the operation guidance to comfirm the version information and Build Time after downloading the patch package.
Products Confirmed Not Vulnerable：
These products below are not affected by this vulnerability:
Access Control & Time Attendance
Fix Software Download：
Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.
l Dahua Official Website: Overseas: https://software.dahuasecurity.com/en/download
l Dahua Technical Support Personnel
For any questions or concerns related to our products and solutions, please contact Dahua DHCC at firstname.lastname@example.org.
2021-12-31 UPDATE v1.2 Add CVE-2021-44832, Update the section of Affected Products & Fix Software
2021-12-21 UPDATE v1.1 Update the affected products & fix software
2021-12-15 INITIAL v1.0