Apache Log4j Vulnerability (CVE-2021-44228) Guidance for Vertiv™ Environet™ Alert

Vertiv has investigated the latest vulnerability in the log4j library (CVE-2021-44832). Vertiv™ Environet™ does not utilize a vulnerable configuration that could support an attacker in leveraging this vector. However, there does exist a situation in which an attacker could create an exploitable configuration if the attacker had access to the machine in which Environet Alert is installed, along with the ability to modify files in the installation directory.

To mitigate against such vulnerability, Vertiv advises that all users of Environet Alert review their security configurations to ensure principal of least privilege is utilized to limit the number of paths that could allow unauthorized configuration file changes. The current version of Environet Alert, 1.3.3, contains log4j 2.17 and Vertiv will be updating the log4j library to 2.17.1 in the 1.4 release of Environet Alert (planned February 2022). This latest version of log4j will mitigate CVE-2021-44832.

Below are instructions to update to the latest version of Vertiv Environet Alert.

Software Upgrade to Vertiv™ Environet™ Alert Version 1.3.3

If you are currently running version 1.3, 1.3.1 or 1.3.2:

1. Download the install file here.
2. Follow the backup/install instructions to_upgrade from 1.3, 1.3.1 or 1.3.2 to 1.3.2

If you are currently running version 1.1/1.2:

1. Log into your Environet™ Alert system and navigate to System Admin > License Dashboard.

2. Click on the "Request New License" button.

3. Fill out the form that includes your email address and contact information, as well as specifically stating the request is for an upgrade to version 1.3 in the subject line.

   1. If your Alert server is not connected to the internet or a mail server, please send the form information to dcim_licensing@vertiv.com in a separate email.

4. Click the "OK" button to email the licensing team.

5. Upon receipt of the request, we will respond with instruction on how to upgrade and will include a new license file for your Environet™ Alert solution (please allow for 1-2 business days for our reply).

We continue to urge all customers to make sure products are installed following our guidance and software versions are current with the latest updates. Please let us know if you have any difficulty or question regarding the installation of the updated software.