search cancel

CVE-2021-44228 - log4j Vulnerability and AutoSys Workload Automation, Workload Automation Agents, and Workload Automation iXP

book

Article ID: 230309

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation AE - System Agent (AutoSys)

Issue/Introduction

Are any of the components of Autosys Workload Automation affected by the log4j vulnerability that was announced recently - CVE-2021-44228

Environment

All GA Versions of...

AutoSys Workload Automation (11.3.5, 11.3.6.x, 12.0, 12.0.1)

Workload Automation Agents (11.3.x, 11.4.x, 11.5,12.0)

Workload Automation iXP (11.3.x, 11.4)

Resolution

Broadcom Engineering has confirmed that all GA versions of the following AutoSys components and related products are not affected by this vulnerability...

AutoSys Workload Automation - Scheduler, Application Server, Client, WebUI(WCC), AEWS (AutoSys Web Server), SOAP Web Server, Common Services (Csam, CCI, etc.)

Embedded Entitlements Manager (EEM)

Workload Automation System Agent and Plugins

Workload Automation iXP

This determination is based on two factors...

1. The current GA versions of AutoSys are distributed with log4j 1.x (without JMSAppender enabled) and not log4j2. 

Per Apache's update on this vulnerability found here...

"Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability."

Note: In any of the log4j.xml/log4j.properties file distributed by Autosys/WCC/iXP, search for string "jms", there should not be any such strings in our out of the box configuration files.

 

 

2. Simulated attacks were run against current GA code to confirm it is not vulnerable to RCE.

In light of these findings, Broadcom does not plan to update log4j in the current GA releases of AutoSys. However, it will be updated in future releases.

Should you have any further questions or concerns, please open a case with Support

 

Additional Information

See Also...

r12.0 and 12.0.1 we have patches to upgrade log4j and for EEM 12.6 CR04 uses log4j-2.x

CVE-2021-45046 - log4j Vulnerability and AutoSys Workload Automation, Workload Automation Agents, And Workload Automation iXP
https://knowledge.broadcom.com/external/article?articleId=230677

CVE-2021-4104 - log4j Vulnerability and AutoSys Workload Automation, Workload Automation Agents, And Workload Automation iXP
https://knowledge.broadcom.com/external/article?articleId=230680