Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1
CVE-2021-44228 Description: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints. All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 affected.
CVE-2021-45046 Description: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack. All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 affected.
CVE-2021-44832 Description: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
CVE-2021-4104 Description: We have researched this vulnerability and Symantec VIP is not vulnerable to this.
Log4j files in older builds may cause security scans to flag the VIP Enterprise Gateway as risky.
As part of the broader Broadcom Software advisory, the Symantec VIP team has investigated these vulnerabilities and determined that:
The latest version of VIP Enterprise Gateway is available to download from VIP Manager and through LiveUpdate from the VIP EG console. Version 9.9.2 and newer include updates to the log4j library to version 2.17.1 (See the VIP Enterprise Gateway 9.9.2 Release Notes for more information).
Contact VIP technical support to open a case with VIP support. Attach vulnerability scans to the case.