Are any of the components of Autosys Workload Automation affected by the log4j vulnerability that was announced recently - CVE-2021-44228
All GA Versions of...
AutoSys Workload Automation (11.3.5, 11.3.6.x, 12.0, 12.0.1)
Workload Automation Agents (11.3.x, 11.4.x, 11.5,12.0)
Workload Automation iXP (11.3.x, 11.4)
Broadcom Engineering has confirmed that all GA versions of the following AutoSys components and related products are not affected by this vulnerability...
AutoSys Workload Automation - Scheduler, Application Server, Client, WebUI(WCC), AEWS (AutoSys Web Server), SOAP Web Server, Common Services (Csam, CCI, etc.)
Embedded Entitlements Manager (EEM)
Workload Automation System Agent and Plugins
Workload Automation iXP
This determination is based on two factors...
1. The current GA versions of AutoSys are distributed with log4j 1.x (without JMSAppender enabled) and not log4j2.
Per Apache's update on this vulnerability found here...
"Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability."
Note: In any of the log4j.xml/log4j.properties file distributed by Autosys/WCC/iXP, search for string "jms", there should not be any such strings in our out of the box configuration files.
2. Simulated attacks were run against current GA code to confirm it is not vulnerable to RCE.
In light of these findings, Broadcom does not plan to update log4j in the current GA releases of AutoSys. However, it will be updated in future releases.
Should you have any further questions or concerns, please open a case with Support
r12.0 and 12.0.1 we have patches to upgrade log4j and for EEM 12.6 CR04 uses log4j-2.x
CVE-2021-45046 - log4j Vulnerability and AutoSys Workload Automation, Workload Automation Agents, And Workload Automation iXP
CVE-2021-4104 - log4j Vulnerability and AutoSys Workload Automation, Workload Automation Agents, And Workload Automation iXP