Dahuasecurity.com은 쿠키 및 유사 기술을 사용합니다. 다후아는 기능성 쿠키를 사용하여 웹 사이트가 제대로 작동하도록 하고 분석 쿠키를 사용하여 사용자 경험을 최적화합니다. 제3자 쿠키는 당사 웹 사이트 외부에서도 데이터를 수집할 수 있습니다. 다음을 클릭함으로써 " 동의>하시거나 이 웹 사이트를 계속 사용하면 쿠키 설정과 관련된 개인 데이터 처리에 동의하게 됩니다. 다음에 대한 자세한 정보 쿠키 개인정보 처리 방침

Security Advisory – Vulnerabilities Found in Apache Log4j Library Affecting Some Dahua Products

2149

SA IDDHCC-SA-202112-001

First Published2021-12-15

Summary:

Since December 9, 2021, remote code execution vulnerabilities identified as CVE-2021-44228, CVE-2021-45046、CVE-2021-44832 and denial of service vulnerability identified as CVE-2021-45105 have been discovered in the Apache Log4j Java logging libraryaffecting all versions of Log4j prior to v2.17.1. Some Dahua DSS products are affected, and we have updated the Log4j library for all affected products to version v2.17.1.


We will follow up on the development of this vulnerability and provide update when more information is available.

Common Vulnerabilities and ExposuresCVE ID:

Null

Vulnerability Score

The vulnerability classification has been performed by using the CVSS v3.1 scoring system (http://www.first.org/cvss/specification-document).

CVE-2021-44228

Base Score:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score:9.0 (E:P/RL:O/RC:C)


CVE-2021-45046

Base Score:9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score:8.1 (E:U/RL:O/RC:C)


CVE-2021-45105

Base Score:7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Temporal Score:6.7 (E:P/RL:O/RC:C)

CVE-2021-44832

Base Score:6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Temporal Score:5.9 (E:P/RL:O/RC:C)

Affected Products & Fix Software

The following product series and models are currently known to be affected:

Affected Model

Affected Version

Fix Software

DSS Express

V8.000.0000002.0.R.20210506

V8.000.0000003.0.R.20210729

V8.000.0000004.0.R.20211119

General_DSS-Windows_Patch_Installer_V1.001.0000003.0.R.20211230.zip

DSS Pro

V7.002.0000005.0.R.20200414

V7.002.0000005.1.R.20200703

V7.002.0000005.2.R.20201223

V8.000.0000002.0.R.20210506

V8.000.0000003.0.R.20210729

V8.000.0000004.0.R.20211119

DSS4004-S2

V8.000.0000002.0.R.20210728

General_DSS-Linux_Patch_Installer_V1.001.0000003.0.R.20211230.zip

DSS7016D-S2

Note: Please refer to the operation guidance to comfirm the version information and Build Time after downloading the patch package.


Products Confirmed Not Vulnerable

These products below are not affected by this vulnerability:

Product Model

Confirmed Result

IPC

Not Vulnerable

HDCVI

PTZ

ITC

NVR

DVR

Storage

Video Intercoms

Access Control & Time Attendance

Alarms

IVS


Fix Software Download

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

l  Dahua Official Website: Overseas: https://software.dahuasecurity.com/en/download

l  Dahua Technical Support Personnel

 

Support Resources

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.


Update Record

2021-12-31  UPDATE  v1.2 Add CVE-2021-44832, Update the section of Affected Products & Fix Software

2021-12-21  UPDATE  v1.1 Update the affected products & fix software

2021-12-15 INITIAL  v1.0