This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products

  • SA No:huawei-sa-20211215-01-log4j
  • Initial Release Date: Dec 15, 2021
  • Last Release Date: Jan 14, 2022


Some Huawei products are affected by the Apache Log4j2 remote code execution vulnerabilities. The vulnerabilities are caused by a recursive parsing error in some functions of Apache Log4j2. An attacker can construct a malicious request to control log parameters to trigger a remote code execution vulnerability. (Vulnerability ID: HWPSIRT-2021-28415 and HWPSIRT-2021-94301)

The two vulnerabilities have been assigned two Common Vulnerabilities and Exposures (CVE) IDs: CVE-2021-45046 and CVE-2021-44228.

For products that have released software updates to fix these vulnerabilities, Huawei will release and update this Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211215-01-log4j-en



Product Name

Affected Version

Resolved Product and Version

SMSGW

V100R001C01

V100R001C01LG8001SPC002

V100R002C11

V100R002C11LG8007SPC002

V100R003C01

V100R003C01LG8016

Agile Controller-Campus

V100R003C60SPC202

V100R003C60SPC216

V100R003C60SPC205

V100R003C60SPC206

V100R003C60SPC207

V100R003C60SPC208

V100R003C60SPC209

V100R003C60SPC210

V100R003C60SPC211

V100R003C60SPC212

V100R003C60SPC213

FusionCompute

6.5.0

6.5.1.HP8

6.5.1

8.0.0

8.0.1.HP3

8.0.1

8.0.RC2

8.0.RC3

8.1.0

Fusioncompute 8.1.1.1

8.1.1

8.1.RC1

FusionCube

6.0.0

6.0.5.SPC102

6.0.1

6.0.2

FusionCube 1000C 8.0.0.CP1

6.0.3

6.0.5

6.0.5.SPC102

6.0.RC1

FusionCube 1000C 8.0.0.CP1

6.0.RC2

6.0.RC3

6.0.5.SPC102

6.0.RC5

FusionCube 1000C 8.0.0.CP1

FusionStorage OBS

7.0.0

OceanStor Pacific 9520 8.1.1.SPH2

7.0.1

GaussDB 200

6

GaussDB A 8.0.0.SP8

ManageOne

8.0.0

8.0.3.CP0033

8.0.1

8.0.2

8.0.3

8.1.0

NFV_FusionSphere

21.3.0

21.3.0.SPH1

6.5.1

6.5.1.SPH35

8.0.0

8.0.0.SPC25

V100R006C50SPC105

V100R006C50SPC225

V100R006C50SPC109

V100R006C50SPC212

V100R006C50SPC219

V100R006C50SPC220

V100R006C50SPH211

OceanStor 6800 V3

V300R006C60

V300R006C60SPC001

OceanStor 9000

V300R006C20

OceanStor 9000 V5 7.1.1.SPH109

SMC2.0

V500R002C00SPC900

V600R019C10SPC954

V600R006C00

V600R006C10

V600R019C00

V600R019C10

SoftCo

V200R003C50SPC500

V200R003C50SPC905

V200R003C50SPC600

V200R003C50SPC700

V200R003C50SPC800

V200R003C50SPC900

eAPP610

V100R006C00

V100R006C00SPC400

eCNS280

V100R005C10SPC200

CGP_V200R020C10SPC201_05_LMT

V100R005C10SPC210

V100R005C10SPC300

V100R005C10SPC310

V100R005C10SPC500

V100R005C10SPC506

V100R005C10SPC516

V100R005C10SPC800

V100R005C10SPC801

V100R005C10SPC802

eCNS290

V100R005C30SPC200

CGP_V200R020C10SPC201_05_LMT

V100R005C30SPC201

V100R005C30SPC202

eLog

V200R007C10

V200R007C10SPC203

eSE620X vESS

V100R001C10SPC200

CGP_V200R020C10SPC201_05_LMT

V100R001C20SPC300

V200R001C00SPC360

eSpace ECS

V300R001C00SPC200

V300R001C00SPC223

V300R001C00SPC201

V300R001C00SPC202

V300R001C00SPC203

V300R001C00SPC205

V300R001C00SPC206

V300R001C00SPC207

V300R001C00SPC208

V300R001C00SPC209

V300R001C00SPC210

V300R001C00SPC211

V300R001C00SPC212

V300R001C00SPC213

V300R001C00SPC215

V300R001C00SPC216

V300R001C00SPC217

V300R001C00SPC218

V300R001C00SPC219

V300R001C00SPC220

V300R001C00SPC221

V300R001C00SPC222

eSpace U1910

V200R003C50SPC500

V200R003C50SPC905

V200R003C50SPC600

V200R003C50SPC700

V200R003C50SPC800

V200R003C50SPC900

eSpace U1911

V200R003C50SPC500

V200R003C50SPC905

V200R003C50SPC600

V200R003C50SPC700

V200R003C50SPC800

V200R003C50SPC900

eSpace U1930

V200R003C50SPC500

V200R003C50SPC905

V200R003C50SPC600

V200R003C50SPC700

V200R003C50SPC800

V200R003C50SPC900

eSpace U1960

V200R003C50SPC500

V200R003C50SPC905

V200R003C50SPC600

V200R003C50SPC700

V200R003C50SPC800

V200R003C50SPC900

eSpace U1980

V200R003C50SPC500

V200R003C50SPC905

V200R003C50SPC600

V200R003C50SPC700

V200R003C50SPC800

V200R003C50SPC900

eSpace U1981

V200R003C50

V200R003C50SPC905

iManager NetEco

V600R009C10

V600R010C00CP5303

V600R010C00

iManager NetEco 6000

V600R008C00

V600R008C10CP5902

V600R008C10

V600R009C00

V600R009C00CP2601

V600R021C00

iMaster NetEco V600R021C10CP3301

V600R021C10

iMaster MAE-M

V100R020C10

iMaster MAE V100R020C10CP2309

V100R021C10

iMaster MAE V100R021C10CP2703

V100R022C00

iMaster MAE V100R022C00CP2101



An attacker can construct a malicious request to control log parameters to trigger a remote code execution vulnerability.

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/specification-document).

HWPSIRT-2021-28415:

Base Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

HWPSIRT-2021-94301:

Base Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Temporal Score: 9.3 (E:F/RL:O/RC:C)

These vulnerabilities can be exploited only when the following conditions are present:

Attackers can access the target system.

Vulnerability details:

These vulnerabilities are caused by a recursive parsing error in some functions of Apache Log4j2. An attacker can construct a malicious request to control log parameters to trigger a remote code execution vulnerability.

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.

The vulnerabilities were disclosed externally.


2022-01-14 V1.6 UPDATED Updated the "Software Versions and Fixes" section;

2022-01-14 V1.5 UPDATED Updated the "Software Versions and Fixes" section;

2022-01-12 V1.4 UPDATED Updated the "Software Versions and Fixes" section;

2021-12-28 V1.3 UPDATED Updated the "Software Versions and Fixes" section;

2021-12-24 V1.2 UPDATED Updated the "Software Versions and Fixes" section and the "Summary" section;

2021-12-24 V1.1 UPDATED Updated the "Software Versions and Fixes" section;

2021-12-15 V1.0 INITIAL

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.