search cancel

CVE-2021-44228 / CVE-2021-45046 / CVE-2021-45105 / CVE-2021-4104 / CVE-2021-44832 - PAM, PIM and PAMSC LOG4J vulnerability.

book

Article ID: 230405

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Is PAM, PIM or PAM SC vulnerable to the  flaw in the Apache Log4j 2 library JNDI lookup mechanism CVE-2021-44228, CVE-2021-45046, CVE-2021-44832 and/or CVE-2021-45105? If so, what actions need to be taken to address the vulnerability?

Environment

PAM 3.4.0-3.4.5, 4.0.0-4.0.2

PAMSC 14.x

PIM 12.x and higher

 

Resolution

Please update this document link (and possibly clear your browser cache) to see new updates. We will modify this document as changes to this timeline occur.

  • PAM 3.4.0 - 3.4.5, 4.0 and 4.0.1:
    • If you are using, or plan to use, Service Desk Integration with any of these versions of PAM, see the following documentation for patch links and installation instructions:
    • If you are not using Service Desk Integration, you do not need the PAM_LOG4J_44228_45046 patch.
    • The older patch PAM_LOG4J_VULN only addressed CVE-2021-44228. If you applied that patch already, you can apply PAM_LOG4J_44228_45046 on top of it.
    • PAM is not affected by CVE-2021-4104. PAM does not use the JMSAppender class.
    • PAM is not affected by CVE-2021-45105 or CVE-2021-44832 because PAM doesn't use lookups in the pattern, and the configuration file is on the appliance and not accessible.
  • PAM 3.4.6 includes the fix in the PAM_LOG4J_44228_45046 hotfix and is not vulnerable.
  • PAM 4.0.2 comes with log4j 2.17.1, the version that has all the fixes.
  • PAM 4.0 and 4.0.1 Utility Server (One PAM enabled):  
    • PAM 4.0 includes a new appliance type called a Utility Appliance, which requires a patch if the event forwarder component within the Utility Appliance is enabled.
    • The PAM 4.0 and 4.0.1 Event Forwarder patch addresses both CVE-2021-44228 & CVE-2021-45046.
    • If the event forwarder is disabled/unchecked, there is no need to patch it. This is the default setting.
    • To verify if it is enabled, go into PAM UI >> Configuration >> Logs >> Syslog:

    • If the "Enable Event Forwarder" option is checked, or you intend to check/enable it in the future, see the following documentation for patch links and installation instructions:
    • The PAM utility server is not affected by CVE-2021-4104
    • The PAM utility server is not affected by CVE-2021-45105 or CVE-2021-44832 because it doesn't use lookups in the pattern, and the configuration file is on the appliance and not accessible.
  •  
  • Other PAM components including PAM Management Console, PAM Threat Analytics, PAM A2A Client, PAM Socket Filter Agent (Windows/Unix), PAM Client and PAM Windows Proxy are not affected by this vulnerability.
  • PAMSC 14.1:  ENTM Server. Mitigation can be found here PAMSC Log4j-2 CVE-2021-44228 Vulnerability and mitigation (broadcom.com)
  • PAMSC14.1:  Distribution Servers and Endpoints - Are not vulnerable
  • PIM 12.8: - ENTM and Distribution servers. Product is distributed with lower versions of log4j, which are not susceptible to this vulnerability.
      • PIM 12.8 versions are NOT vulnerable to CVE-2021-4104. (We do not use JMSAppender in our code)
  • PIM 12.9 ENTM and Distribution servers. Mitigation can be found here  PIM 12.9.x Log4j-2 CVE-2021-44228 Vulnerability and mitigation (broadcom.com)
  • PIM 14.0:  ENTM and Distribution servers. Mitigation can be found here  PIM 14.0 Log4j-2 CVE-2021-44228 Vulnerability and mitigation (broadcom.com)
  • PIM 12.x:  Endpoints - Are not vulnerable

 

Additional Information

https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793

 

Attachments