search cancel

CVE-2021-44228 - log4j Vulnerability and CA Process Automation

book

Article ID: 230306

calendar_today

Updated On:

Products

CA Process Automation Base CA Process Automation Power Pack for Spectrum, IM, and BMC Remedy

Issue/Introduction

Are any of the components of CA Process Automation affected by the log4j vulnerability that was announced recently - CVE-2021-44228 or CVE-2021-4104?

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

CA Process Automation: All supported versions

Supported versions of CA Process Automation can be found here: CA Process Automation Release and Support Lifecycle Dates

Resolution

CA Process Automation, a.k.a. ITPAM (all supported versions) is not affected by this vulnerability (CVE-2021-44228) as the Log4j version used in ITPAM (Log4j 1.2) is outside the affected range (Log4j 2.0 - 2.14.1).

CA Process Automation, a.k.a. ITPAM (all supported versions) is not affected by this vulnerability (CVE-2021-4104) as it only affects Log4j 1.2 when specifically configured to use JMSAppender - which is not used in ITPAM (by default).

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Service Operations Insight (SOI) in not affected by the log4j zero day vulnerability

However, the Ca Help Desk Connector is:

https://knowledge.broadcom.com/external/article/230292/

CA Embedded Entitlements Manager(EEM) is not affected by the log4j zero day vulnerability

https://knowledge.broadcom.com/external/article/230311/