Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Harvest is not affected by this vulnerability. The log4j jar files bundled with Harvest do contain the Java classes identified in recent vulnerability reports, but the Harvest software does not use those Java classes.
The log4j-1.2.12.jar file in the Harvest installation folder can be deleted.
However, that the same log4j-1.2.12.jar file is embedded inside another jar file named “com.ca.harvest.cmsdk.<version>.jar” in the installation. We are not able to make any changes to this file because that jar file has a digital signature. Any change would break the file.
The only answer if you want to eliminate all log4j classes that are older than 2.17 is to upgrade to Harvest version 14.0.2. With this latest version, things have been adjusted so that :
The RestAPI interface includes the below jars in the deployment
The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable
Log4j core is not bundled in the harvest Rest API deployment
CA Harvest Software Change Manager (all supported versions) is not affected by this vulnerability (CVE-2021-4104) as it only affects Log4j 1.2 when specifically configured to use JMSAppender - which is not used in Harvest.
Supported Reference Link:
Harweb Interface :
Log4j version used is 1.2.12 and is not impacted by this vulnerability
Log4j version used is 1.2.14 and is not impacted by this vulnerability
Workbench and Plug-in for Eclipse:
Log4j version used is 1.2.12 in workbench and Plug-in for Eclipse and is not impacted by this vulnerability