search cancel

CVE-2021-44228: CA NIM SM 3.2.x log4j vulnerability

book

Article ID: 230345

calendar_today

Updated On:

Products

DX Operational Intelligence CA Spectrum DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) CA Service Operations Insight (SOI) CA Identity Governance Application Lifecycle Conductor Compliance Event Manager Trusted Access Manager for Mainframe

Issue/Introduction

CA NIM SM 3.2 is affected by the log4j vulnerability that was announced recently -

CVE-2021-44228:
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and
parameters do not protect against attacker controlled LDAP and other JNDI related
endpoints. An attacker who can control log messages or log message parameters can
execute arbitrary code loaded from LDAP servers when message lookup substitution is
enabled

The software products in Broadcom using NIM in different Business Units and Product Segments are:
 

AIOps: DXI/DOI, Spectrum, Unified Infrastructure Management (UIM), Services Operations Intelligence (SOI)

CA Security: Identity Management & Governance (IMAG), Privileged Access Management (PAM)

MFD: Application Lifecycle Conductor(ALC), Trusted Access Manager for Z/ os, Compliance Event Manager, Ops/Mvs

 

Environment

Normalized Integration Management (NIM) for Service Management (SM)

is a solution that is built to consolidate and standardize the way Broadcom products integrate with various service management systems.

Release: NIM SM 3.2.324 to NIM SM 3.2.330

Cause

This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1

Resolution

We have addressed CVE-2021-44228 critical vulnerability by upgrading with Log4j-2.17.0 for the NIM component.


Please find the latest NIM war (NIM SM 3.2.331 version) attached to this techdoc:

 

Note - for Spectrum it is recommended that you upgrade to the current GA version because this patch only addresses one point of exposure.

or follow this techdoc:

https://knowledge.broadcom.com/external/article?articleId=230231

***************

Here are the steps to implement it:

  1. Stop tomcat
  2. Take backup of existing ca-nim-sm.war and ca-nim-sm folder from $SPECROOT\tomcat\webapps path.
  3. After taking backup, delete existing ca-nim-sm.war file and ca-nim-sm folder from $SPECROOT\tomcat\webapps path.
  4. Place the new war file and Start tomcat
  5. Verify ca-nim-sm.war file is extracted in the same path to ca-nim-sm folder
  6. From the nim-version.xml file verify that the nim version is 3.2.0.331.

these steps are targeted for spectrum, replace your directories and paths for the applicable product.

 

 

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

 

Attachments

ca-nim-sm_1647367003739.war get_app