ITMS/GSS. About Zero-Day exploit: high severity vulnerability (CVE-2021-44228, CVE-2021-45105) impacting multiple versions of the Apache Log4j 2 utility
search cancel

ITMS/GSS. About Zero-Day exploit: high severity vulnerability (CVE-2021-44228, CVE-2021-45105) impacting multiple versions of the Apache Log4j 2 utility

book

Article ID: 230281

calendar_today

Updated On:

Products

IT Management Suite Ghost Solution Suite ServiceDesk Client Management Suite Server Management Suite

Issue/Introduction

A high-severity vulnerability impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.

This Critical vulnerability in Apache Log4j was discovered that requires immediate attention, CVE-2021-44228, nicknamed ‘Log4Shell’.  This vulnerability was discovered in Apache Log4j 2.x versions earlier than 2.15.0.  

The vulnerability could allow unauthenticated remote code execution resulting in an attacker gaining full control of an exploited server.  Apache Log4j is used by many open-source projects and commercial off-the-shelf software packages and is potentially used within internally developed applications as well. There are widespread public scans by malicious actors actively targeting and attempting to exploit this vulnerability. 

Note: This also applies to CVE-2021-45105

Environment

  • ITMS 8.5, 8.6
  • GSS 3.3 RU8, RU9

Note: No validation was done against any version prior to ITMS 8.5 (or GSS 3.3) since those versions are EOL at this point:

Resolution

This issue has been reviewed by our Dev team. Refer to Broadcom Response to Log4j Vulnerabilities.
For ITMS and GSS products division, see: Symantec Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

Does ITMS/GSS use the Apache log4j library impacted by this issue?

No, log4j library is not used in ITMS and GSS products. EPM products do not use log4j library and are not impacted by CVE-2021-44228

Additional Information