Menu

NetApp’s Response to Customers Regarding the Log4j Vulnerability Threat

blue spiral

⁠NetApp’s Response
Frequently Asked Questions

  1. Are NetApp products affected by the Log4j vulnerability? Which Products were affected?
  2. ⁠What if my NetApp product is not listed in the NetApp Product Security Advisories CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832?
  3. What remediation actions have been taken?
  4. Will this incident impact or interrupt the delivery of NetApp products and services? 
  5. What is the impact to NetApp’s business?
  6. How does NetApp protect its environment from potentially affected software?
  7. Have NetApp’s suppliers and vendors been impacted by Log4j vulnerability?

The United States Cybersecurity and Infrastructure Security Agency issued guidance about a vulnerability in Apache’s Log4j software on Monday, December 13, 2021. Subsequently, a second vulnerability was announced due to an incomplete patch. Apache Log4j is java software widely used by many companies for logging purposes. It is often included or bundled with third-party software packages. 

NetApp’s Response 

The security of both NetApp products and our customer’s safety is a top priority. In response to these vulnerabilities, NetApp has taken immediate action to proactively address any critical vulnerability affecting our products and solutions containing the Log4j software library. 

Upon notification of the Log4j vulnerability report the NetApp Security Team initiated investigations in accordance with our incident response processes. NetApp followed the guidance issued to all Log4j customers in addition to following our internal processes for investigation, forensics analysis, and threat mitigation. NetApp will continue to remain vigilant regarding all aspects of this challenging and evolving situation. 

At this time, there have been no compromises or successful exploits observed in NetApp products, solutions or in the NetApp environment. The majority of our products and solutions are not affected or have already been reviewed and patched. For the list of NetApp products that are in the process of being patched, please refer to the NetApp Product Security Advisory website: CVE-2021-44228CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. These pages will be updated on an ongoing basis to reflect most current status. We are also working closely with our third-party ecosystem to support them.

NetApp will continue to update this advisory as additional information becomes available and will provide answers to common questions below. This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding fully supported products and versions.


Frequently Asked Questions (Updated January 7, 2022) 

  1. Are NetApp products affected by the Log4j vulnerability? Which Products were affected? 
    Many NetApp products do not use Log4j software and are therefore unaffected. Please refer to the following NetApp Product Security Advisories CVE-2021-44228CVE-2021-45046CVE-2021-45105, CVE-2021-44832 for the list of NetApp products that were affected and mitigated. If available, fixes and workarounds are noted under the Remediation section of each advisory.

  2. What if my NetApp product is not listed in the NetApp Product Security Advisories CVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2021-44832
    If your product is not listed in our product security advisories, either no action is required on your part or the product is no longer covered by NetApp Support and therefore not being evaluated.

  3. What remediation actions have been taken?
    All NetApp products, software and infrastructure have been evaluated and any necessary countermeasures implemented. For the list of products that are still being investigated and patched, please refer to the NetApp Product Security Advisories: CVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2021-44832. If available, fixes and workarounds are noted under the Remediation section of each advisory.

  4. Will this incident impact or interrupt the delivery of NetApp products and services?
    At this time, we are not anticipating any service disruptions for any NetApp products or services. 

  5. What is the impact to NetApp’s business?
    There is no impact to NetApp’s business at this time. 

  6. How does NetApp protect its environment from potentially affected software?
    NetApp does not disclose the details of our environment as it relates to our Cyber Security program. In response to this vulnerability, NetApp has followed the recommendations from Apache and the United States Cybersecurity and Infrastructure Agency. These actions also include patching and increased monitoring. Our security team and partners work 24x7 to protect NetApp.  

  7. Have NetApp’s suppliers and vendors been impacted by Log4j vulnerability?
    NetApp is engaging with our supply chain and third-party partners to determine if any suppliers or vendors were impacted by this vulnerability. 

For questions not covered in the FAQ or the NetApp Product Security Advisory website : CVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2021-44832 please contact NetApp Global Technical Support.

For media inquiries, please contact xdl-uspr@netapp.com