Is Endpoint Detection and Response (EDR) vulnerable to the remote code execution vulnerability described in:

CVE-2021-45046

CVE-2021-44228

CVE-2021-45105

If so, how can EDR be patched?

The Symantec EDR team investigated the log4j vulnerability described in CVE-2021-45046 and CVE-2021-44228.  Some components of the EDR on-premises appliance contain log4j versions that are known to be exposed to the vulnerability and may be impacted.  

To address CVE-2021-45046 we have released a patch/hotfix. This patch (atp-patch-generic-4.6-1) is applicable to EDR 4.6.0, 4.6.5, and 4.6.7. If SEDR Version is less than 4.6.0 then please upgrade to latest EDR Version 4.6.8.

To address CVE-2021-44228 Symantec strongly recommends to upgrade EDR Version to EDR 4.6.8, The upgrade also takes care of CVE-2021-45046.

i.e If SEDR is on version 4.6.8 both the CVE's (CVE-2021-45046 /CVE-2021-44228) are addressed.

To install patch atp-generic-4.6-1

1. At the admin CLI of EDR, type:
   show -v
   
   
2. If the current version is 4.6.0, 4.6.5, or 4.6.7, proceed to step 5. If you are on a prior version, then type:
   update download
   
   
3. If no errors occur during update download, type:
   update install
   
   
4. Updating the software version may require up to two reboots of EDR appliance before continuing. Once on 4.6.8, there is no need to apply the patch atp-patch-generic-4.6-1
   
   
5. To confirm the installed patches, type:
   patch list_installed
   
   
6. If "atp-patch-generic-4.6-1" appears in the output, the EDR appliance is already patched for this issue. No further action is needed for this particular EDR appliance.
   To check for the patch in the download repository, type:
   patch list
   
   
7. If "atp-patch-generic-4.6-1" does not appear in the download repository, please contact support for further assistance and reference KB #. Also copy and paste the output from this command into the case comments.
   To download the patch, type:
   patch download atp-patch-generic-4.6-1
   
   
8. To install the patch, type:
   patch install atp-patch-generic-4.6-1
   
   
9. During patch installation, the patch restarts services, making the UI temporarily unavailable. If the UI remains unavailable after an hour, please file a support ticket for further assistance.
    

• Q: Where can I find more information about CVE-2021-44228 and its effect on BROADCOM products?
  A: here...
  
  • https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793
  • https://nvd.nist.gov/vuln/detail/CVE-2021-44228
    
    
• Q: Is EDR affected by CVE-2021-45105?
  A: EDR does not use Context Lookup in our logging code and the affected log configuration is not in use. Thus EDR is not affected by CVE-2021-45105.
  
  
• Q: I had trouble with my EDR license after the upgrade to 4.6.8. Where can I get help?
  A: To confirm that you are impacted by a known issue, see:
  • Title: Appliances page shows 'An error occurred' after upgrade
    URL: https://knowledge.broadcom.com/external/article?articleId=229669