CA NIM SM 3.2 is affected by the log4j vulnerability that was announced recently -
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and
parameters do not protect against attacker controlled LDAP and other JNDI related
endpoints. An attacker who can control log messages or log message parameters can
execute arbitrary code loaded from LDAP servers when message lookup substitution is
AIOps: DXI/DOI, Spectrum, Unified Infrastructure Management (UIM), Services Operations Intelligence (SOI)
CA Security: Identity Management & Governance (IMAG), Privileged Access Management (PAM)
MFD: Application Lifecycle Conductor(ALC), Trusted Access Manager for Z/ os, Compliance Event Manager, Ops/Mvs
Normalized Integration Management (NIM) for Service Management (SM)
is a solution that is built to consolidate and standardize the way Broadcom products integrate with various service management systems.
Release: NIM SM 3.2.324 to NIM SM 3.2.330
This vulnerability affects all versions of log4j from 2.0-beta9 to 2.14.1
We have addressed CVE-2021-44228 critical vulnerability by upgrading with Log4j-2.17.0 for the NIM component.
Please find the latest NIM war (NIM SM 3.2.331 version) attached to this techdoc:
Note - for Spectrum it is recommended that you upgrade to the current GA version because this patch only addresses one point of exposure.
or follow this techdoc:
Here are the steps to implement it:
these steps are targeted for spectrum, replace your directories and paths for the applicable product.