Skip to main content

Hitachi
Contact UsContact Us

December 28, 2021
Hitachi, Ltd. IT Platform Products Management Division

Hitachi Disk Array Systems have the following vulnerability.

Security Information ID

Hitachi-sec-2021-315

Vulnerability description

CVE-2021-44228 | Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Affected products

The following table shows the affected products.

Product Name Hitachi Virtual Storage Platform E390, E390H, E590, E590H, E790, E790H, E990
Software Name
  • SVP software (Storage Navigator)
  • Export Tool2
Software Version
  • SVP software: 93-02-02-00/00 and later
  • Export Tool2: All versions
Product Name Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900
Hitachi Virtual Storage Platform F350, F370, F700, F900
Software Name
  • SVP software (Storage Navigator)
  • Export Tool2
Software Version
  • SVP software: 88-07-01-00/00 and later
  • Export Tool2: All versions
Product Name Hitachi Virtual Storage Platform G100, G200, G400, G600, G800
Hitachi Virtual Storage Platform F400, F600, F800
Hitachi Virtual Storage Platform N400, N600, N800
Software Name SVP software (Storage Navigator)
Software Version SVP software: 83-05-42-00/00 and later, 83-06-11-00/00 and later

Permanent action

Software update will be released.

Interim action

(a)SVP Software (Storage Navigator)
Do one of the followings:

  1. Use Storage Navigator on secure network.
    Enable IP filtering of OS or router, etc., so that communication to the port number used by the SVP PC is restricted to trusted IP addresses only. Please contact your IT administrator and/or network administrator.
  2. Shutdown SVP PC.
  3. Stop Storage Navigator services on SVP PC. Please contact your authorized service representative for the instructions.

Note: If applying ii or iii, the following restrictions will apply:

  1. Encryption License Key with key management server will be affected. "Regular encryption key backups" may fail, and if the Encryption License Key is used in the setting that "Protect the Key Encryption Key on the Key Management Server" is enabled, logical volume may be blocked temporally when the storage system is powered on. In this case, please apply i.
  2. All of storage management software that depends on Storage Navigator services may be affected when stopping Storage Navigator. Please contact your authorized service representative for details on any corrective actions.
  3. Hitachi Remote Operations will be affected. Please check the health of storage system via Maintenance Utility regularly until modified code will be available.

Note: If applying iii, you must reboot SVP before using Storage Navigator again. After you finish using Storage Navigator, or if SVP is rebooted unintentionally, stop Storage Navigator and related services again.

(b)Export Tool 2
Do one of the followings:

  1. Use Storage Navigator and Export tool 2 on secure network.
  2. Stop using Export tool 2. (Don’t need to uninstall it.)

Note: Export Tool2 is not bundled for Hitachi Virtual Storage Platform G100, G200, G400, G600, G800, F400, F600, F800.

References

Please refer to the Security Update Guide about the vulnerabilities

Revision history

  • December 28, 2021: This security information page is published.
  • Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
  • The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
  • The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
  • The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.