Dahuasecurity.com utiliza cookies y tecnologías similares. Dahua utiliza cookies funcionales para garantizar que sus sitios web funcionen correctamente y cookies analíticas para que su experiencia de usuario sea óptima. Las cookies de terceros también pueden recopilar datos fuera de nuestros sitios web. Al hacer clic en & quot; De acuerdo& quot; o al continuar utilizando este sitio web, usted da su consentimiento para la configuración de cookies y el procesamiento de los datos personales involucrados. Más información sobre nuestra declaración de cookies

Security Advisory – Vulnerabilities Found in Apache Log4j Library Affecting Some Dahua Products

2303

SA IDDHCC-SA-202112-001

First Published2021-12-15

Summary:

Since December 9, 2021, remote code execution vulnerabilities identified as CVE-2021-44228, CVE-2021-45046、CVE-2021-44832 and denial of service vulnerability identified as CVE-2021-45105 have been discovered in the Apache Log4j Java logging libraryaffecting all versions of Log4j prior to v2.17.1. Some Dahua DSS products are affected, and we have updated the Log4j library for all affected products to version v2.17.1.


We will follow up on the development of this vulnerability and provide update when more information is available.

Common Vulnerabilities and ExposuresCVE ID:

Null

Vulnerability Score

The vulnerability classification has been performed by using the CVSS v3.1 scoring system (http://www.first.org/cvss/specification-document).

CVE-2021-44228

Base Score:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score:9.0 (E:P/RL:O/RC:C)


CVE-2021-45046

Base Score:9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score:8.1 (E:U/RL:O/RC:C)


CVE-2021-45105

Base Score:7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Temporal Score:6.7 (E:P/RL:O/RC:C)

CVE-2021-44832

Base Score:6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Temporal Score:5.9 (E:P/RL:O/RC:C)

Affected Products & Fix Software

The following product series and models are currently known to be affected:

Affected Model

Affected Version

Fix Software

DSS Express

V8.000.0000002.0.R.20210506

V8.000.0000003.0.R.20210729

V8.000.0000004.0.R.20211119

General_DSS-Windows_Patch_Installer_V1.001.0000003.0.R.20211230.zip

DSS Pro

V7.002.0000005.0.R.20200414

V7.002.0000005.1.R.20200703

V7.002.0000005.2.R.20201223

V8.000.0000002.0.R.20210506

V8.000.0000003.0.R.20210729

V8.000.0000004.0.R.20211119

DSS4004-S2

V8.000.0000002.0.R.20210728

General_DSS-Linux_Patch_Installer_V1.001.0000003.0.R.20211230.zip

DSS7016D-S2

Note: Please refer to the operation guidance to comfirm the version information and Build Time after downloading the patch package.


Products Confirmed Not Vulnerable

These products below are not affected by this vulnerability:

Product Model

Confirmed Result

IPC

Not Vulnerable

HDCVI

PTZ

ITC

NVR

DVR

Storage

Video Intercoms

Access Control & Time Attendance

Alarms

IVS


Fix Software Download

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

l  Dahua Official Website: Overseas: https://software.dahuasecurity.com/en/download

l  Dahua Technical Support Personnel

 

Support Resources

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.


Update Record

2021-12-31  UPDATE  v1.2 Add CVE-2021-44832, Update the section of Affected Products & Fix Software

2021-12-21  UPDATE  v1.1 Update the affected products & fix software

2021-12-15 INITIAL  v1.0