search cancel

Log4j Vulnerability - CVE-2021-44228 and the Identity Suite

book

Article ID: 230278

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Governance CA Identity Manager CA Identity Portal

Issue/Introduction

Is the Identity Suite vulnerable to CVE-2021-44228?

Critical Vulnerability CVE-2021-44228 was announced today:


https://nvd.nist.gov/vuln/detail/CVE-2021-44228

This exploit would allow malicious code to read from an LDAP directory through log4j JNDI framework.

https://logging.apache.org/log4j/2.x/security.html

It has been determined that the Symantec IGA 14.x products are affected by this vulnerability.  The full details of affected versions are defined below.



Environment

Release : 14.2, 14.3, 14.4

Component : Identity Manager, Identity Governance, Identity Portal, Virtual Appliance

Release

Affected Servers

Component to be patched

Log4j version in use

14.1

Identity Manager

NimSoft WAR

2.3

14.2

Identity Manager

NimSoft WAR

2.3

14.3

Identity Manager

NimSoft WAR

2.3

14.4

Identity Manager

NimSoft WAR

IM Server

2.3

2.12

14.4

Identity Governance

IG Server

2.12

14.4

Identity Portal

IP Server

2.12

Resolution

Patches for STAND ALONE NON-VAPP based IDM deployments, versions 14.2, 14.3, and 14.4.
Please see the product documentations release notes for the patch and instructions:

For 14.2: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-2/release-notes/Hotfixes.html

For 14.3: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html

For 14.4: IDM: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
               Portal: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-4/release-notes/Hotfixes.html
               Governance: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/release-notes/Hotfixes.html

 

Patches for 14.1, 14.2, 14.3, and 14.4  VAPP versions have been released (12/26/2021). They are available in the Release Notes section of the product documentation.  See links below:

14.4, 14.4.1:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

14.3, 14.2, 14.1

Please note version 14.1 utilizes the 14.2 hotfix. The MD5 Checksum fix is the same for both 14.1 and 14.2 fixes.


https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-2/release-notes/virtual-appliance-release-notes/Hotfixes.html





Previous Interim Solution to prevent the vulnerability in current IGA products.  The directions below were provided before the Fixes above were created.  This below is provided now for informational purposes.  If you have implemented the below, Please deploy the fix above and revert the workaround changes to their previous state.  Thank you. 

For the affected releases, Broadcom will provide patches to upgrade the affected servers. The patch will upgrade the two vulnerable log4j 2 versions to log4j version 2.17.1.  This is NOT an issue with log4j version 1.x versions.

This is NOT an issue with Provisioning Manager, CA Identity Governance Client Tool R14, and CA IAM Connector Server, Java Connector Server, CA IAM Connector Xpress. these components are not vulnerable. 

Tibco Jasper 6.4.3 and 7.1.1 do not use Log4j and are not vulnerable. Jasper versions 7.5.3 and above are vulnerable, please work with Tibco.

In the interim, until these patches are provided (Patches have now been released, see links above), Broadcom recommends that you perform the following actions to prevent the occurrence of the vulnerability of your currently installed IGA 14.x products.

This procedure ensures that your IGA environment is protected from the vulnerability as recommended by the Apache log4j site referenced above. A security scan will report the log4j libraries as vulnerable as this configuration continues to use the existing log4j versions in a secure manner.

The procedure requires access to the IGA Server’s deployment folder and uses a command to remove the vulnerable java class from the log4j-core-2.xx.jar as follows:

  1. Stop the appropriate IGA server.
  2. From a windows command or Linux shell:
  3. Navigate to the appropriate Log4j Deployment Folder as shown in the tables below.
  4. Create a backup of the appropriate Log4j jar to be updated.
  5. Execute the following command on the appropriate Log4j jar (this is an example for Linux, if using Windows you need to determine the appropriate command based on the zip utility software used)

 > zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  1. Restart the IGA server

 

Note: For Identity Suite Virtual Appliance deployments, the file system permissions will not allow this procedure. See Table 3 for the procedures appropriate for the Virtual Appliance.

The following tables show the Server, Server deployment folder and log4j jar file to execute this operation on.

Table 1. Windows-based Deployments:

Release

Server

Application Server

Log4j Deployment Folder

Log4j jar

14.1, 14.2,

14.3

IM

jBoss\Wildlfy

<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

WebLogic

Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

WebSphere

WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

 

 

 

IG

JBoss\Wildfly

Not Applicable

 

 

 

WebSphere

Not Applicable

 

 

 

 

 

 

 

IP

JBoss\Wildfly

Not Applicable due to v1.x

 

 

 

WebLogic

Not Applicable due to v1.x

 

14.4

IM

jBoss\Wildlfy:

<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

<JBOSS_HOME>standalone\deployments\iam_im.ear\library
<JBOSS_HOME>modules\com\ca\iam\log4j\core\main

log4j-core-2.12.jar

 

 

WebLogic

Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\library

log4j-core-2.12.jar

 

 

WebSphere

WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

WebSphere-ear\iam_im.ear\iam_im.ear\library

log4j-core-2.12.jar

 

IG

jBoss\Wildlfy

<JBOSS_HOME>\modules\system\layers\base\com\ca\iam\log4j2\core\main

log4j-core-2.12.0.jar

         

 

WebSphere

IBM\WebSphere\AppServer\classes

log4j-core-2.12.0.jar

 

IP

jBoss\Wildlfy

<JBOSS_HOME>\modules\com\ca\iam\log4j2\core\main\

log4j-core-2.12.0.jar

 

 

WebLogic

Not Applicable due to v1.x

 

 

Table 2 Linux-based Deployments:

Release

Server

Application Server

Deployment folder

Log4j jar

14.1, 14.2, 14.3

IM

jBoss\Wildlfy

<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

WebLogic

Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

WebSphere

WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

 

 

 

IG

JBoss\Wildfly

Not Applicable

 

 

 

WebSphere

Not Applicable

 

 

 

 

 

 

 

IP

JBoss\Wildfly

Not Applicable due to v1.x

 

 

 

WebLogic

Not Applicable due to v1.x

 

14.4

IM

jBoss\Wildlfy:

<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

<JBOSS_HOME>standalone\deployments\iam_im.ear\library
<JBOSS_HOME>/modules/com/ca/iam/log4j2/core/main

log4j-core-2.12.jar

 

 

WebLogic

Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\library

log4j-core-2.12.jar

 

 

WebSphere

WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib

log4j-core-2.3.jar

 

 

 

WebSphere-ear\iam_im.ear\iam_im.ear\library

log4j-core-2.12.jar

 

IG

jBoss\Wildlfy

<JBOSS_HOME>\modules\system\layers\base\com\ca\iam\log4j2\core\main

log4j-core-2.12.0.jar

         

 

WebSphere

IBM\WebSphere\AppServer\classes

log4j-core-2.12.0.jar

 

IP

jBoss\Wildlfy

<JBOSS_HOME>\modules\com\ca\iam\log4j2\core\main\

log4j-core-2.12.0.jar

 

 

WebLogic

Not Applicable due to v1.x

 

 

Table 3. vApp Deployments

Release

Server

Application Server

Instructions

Remarks

14.1

14.2

14.3

14.4

IM

JBoss\Wildfly

1. Log in to the system where you have installed Identity Manager using the Virtual Appliance solution.

2. Navigate to /opt/CA/VirtualAppliance/custom/IdentityManager/jvm-args.conf.

3. In the jvm-args.conf file, add the following configuration:

a. Uncomment the following JVM arguments:

JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom

b. Add -Dlog4j2.formatMsgNoLookups=true to the end of the JVM arguments:

JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true

4. Restart Identity Manager.

 

Update your min(Xms) and max(Xmx) heap size values to reflect your existing configuration or as applicable

 

14.4

IG

JBoss\Wildfly

1.  Log in to the system where you have installed Identity Governance using the Virtual Appliance solution.

2.  Navigate to /opt/CA/VirtualAppliance/custom/IdentityGovernance/jvm-args.conf.

3.  In the jvm-args.conf file, add the following configuration:

a. Uncomment the following JVM arguments:

 JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom

b. Add -Dlog4j2.formatMsgNoLookups=true to the end of the JVM arguments:

 JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true

4. Restart Identity Governance.

Update your min(Xms) and max(Xmx) heap size values to reflect your existing configuration or as applicable

 

14.4

IP

JBoss\Wildfly

1. Log in to the system where you have installed Identity Portal using the Virtual Appliance solution.

2. Navigate to /opt/CA/VirtualAppliance/custom/IdentityPortal/jvm-args.conf.

3. In the jvm-args.conf file, add the following configuration:

a. Uncomment the following JVM arguments:

JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom

b. Add -Dlog4j2.formatMsgNoLookups=true to the end of the JVM arguments:

JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true

4. Restart Identity Portal.

Update your min(Xms) and max(Xmx) heap size values to reflect your existing configuration or as applicable

This is not an issue for vApp Identity Portal and Identity Governance 14.1, 14.2, and 14.3.

Table 4. Admin Tools IM (Bulk Loader)

Release

Server

Tools

Tools Folder

Log4j jar

14.4

IM

Admin Tools

CA\Identity Manager\IAM Suite\Identity Manager\tools\lib

log4j-core-2.12.jar

 

   

CA\Identity Manager\IAM Suite\Identity Manager\tools\SelectiveExportUtility

log4j-core-2.12.jar

 

   

CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Support\IMInfo

log4j-core-2.12.jar

Additional Information

Please see Broadcom's overall response here:
Broadcom Response to Log4j Vulnerability

Information specific to the Symantec Identity Governance and Administration (IGA) products can be found under the Symantec Security Advisory: SYMSA19793 link.  

Note that the Log4j 2.17.1 and 2.3.2 both address the vulnerabilities. The difference is that Log4J 2.17.1 is for Java 8 and not backwards compatible with older Java versions where as the Log4j 2.3.2 is for Java 6 but is forward compatible with later versions of Java.

https://logging.apache.org/log4j/2.x/security.html

Other potentially related CVEs:

CVE-2021-44832
CVE-2021-44832

CVE-2021-4104
CVE-2021-4104 - Is Identity Manager exposed to the JMSAppender Vulnerability?

CVE-2021-44832
CVE-2021-44832 - Is Identity Manager exposed to the JDBCAppender Vulnerability?

CVE-2021-17571
Log4j vulnerability - CVE-2019-17571 - Connector Server - log4j version 1.2.16

CVE-2022-23305 
CVE-2022-23307
Identity Manager Security Concerns for Log4J 1.x version: CVE-2022-23305 CVE-2022-23307

CVE-2020-9488
Resolved in hotfix
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html