search cancel

CVE-2021-44228: Log4j v2 Vulnerability Remediation in Nolio RA

book

Article ID: 230302

calendar_today

Updated On:

Products

CA Release Automation - DataManagement Server (Nolio) CA Release Automation - Release Operations Center (Nolio) CA Release Automation Connector

Issue/Introduction

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

CA Release Automation(CARA)/Nolio: All supported versions

Components: All Components (Management Server, Execution Server and Agents)

Resolution

CA Release Automation(CARA), a.k.a. Nolio (all supported versions) is not affected by this vulnerability (CVE-2021-44228) as the Log4j version used in Nolio (Log4j 1.2.16) is outside the affected range (Log4j 2.0 - 2.14.1).

 

Additional Information

CA Release Automation will be providing updated log4j 2.x libraries in the CARA version 6.8 tentative release timelines will be end of Year 2022.

  • The log4j 2.* have changes in the jar in terms of classes name etc. and hence RA need to adapt to those changes so a jar replacement is not an option.

 

For additional information related to Log4j v1 vulnerabilities please see the following KB Article: Log4j v1 Vulnerabilities

For more information on how to search Nolio's log4j configuration files, please see the following KB article: Scanning Vulnerable appender/classes in log4j.properties