Critical Vulnerability CVE-2021-44228 was announced today:
This exploit would allow malice code to read from an LDAP directory through log4j JNDI framework.
Is the Symantec Directory vulnerable to CVE-2021-44228?
Release : 12.6.x, 14.0.x, 14.1.x
Component : CA Directory
Except for version 12.6.x, Symantec Directory does not use log4j for any purpose and it is not included with the software.
Symantec Directory 12.6.x: This version is EOS (End Of Service). Additionally, Directory 12.6.x did not use the currently vulnerable log4j 2.x version. The optional DXmanager component of Directory 12.6.x did include the old log4j 1.2.x version. However, the core Directory product (DXserver) did not include any version of log4j.
As this vulnerability does not apply to the previous log4j 1.2.x version, there should be no concern for customers. For additional safety, if you are using the DXmanager component, Symantec recommends that you upgrade to the latest version of Directory (14.1) whether or not you have Extended Support for this EOS product version.
If you are not using the DXmanager component with Symantec Directory 12.6.x (and only using DXserver), you are not at risk from this vulnerability.
Broadcom is continuing to monitor and investigate potential impacts from this vulnerability and this KB will be updated if necessary.