A high-severity vulnerability impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.
This Critical vulnerability in Apache Log4j was discovered that requires immediate attention, CVE-2021-44228, nicknamed ‘Log4Shell’. This vulnerability was discovered in Apache Log4j 2.x versions earlier than 2.15.0.
The vulnerability could allow unauthenticated remote code execution resulting in an attacker gaining full control of an exploited server. Apache Log4j is used by many open-source projects and commercial off-the-shelf software packages and is potentially used within internally developed applications as well. There are widespread public scans by malicious actors actively targeting and attempting to exploit this vulnerability.
Note: This also applies to CVE-2021-45105
Note: No validation was done against any version prior to ITMS 8.5 (or GSS 3.3) since those versions are EOL at this point:
This issue has been reviewed by our Dev team. Refer to Broadcom Response to Log4j Vulnerabilities.
For ITMS and GSS products division, see: Symantec Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability
Does ITMS/GSS use the Apache log4j library impacted by this issue?
No, log4j library is not used in ITMS and GSS products. EPM products do not use log4j library and are not impacted by CVE-2021-44228