search cancel

CVE-2021-44228: Is CA PKI affected by the log4j zero day vulnerability?

book

Article ID: 230417

calendar_today

Updated On:

Products

CA Spectrum DX Unified Infrastructure Management (Nimsoft / UIM) CA Service Desk Manager CA Service Management - Service Desk Manager CA Client Automation CA Client Automation - IT Client Manager CA Workload Automation DE - System Agent (dSeries) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Directory CA Identity Manager SITEMINDER CA Secure Cloud SaaS - Single Sign On CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Arcot A-OK (WebFort) CA Secure Cloud SaaS - Advanced Authentication CA Privileged Identity Management Endpoint (PIM) Gen XCOM - SUPPORT XCOM Data Transport Common Services Automation Point

Issue/Introduction

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Environment

CA PKI Releases : 5.6.5, 5.6.6 and 5.6.7 

Resolution

CA PKI (all versions) not using Apache Log4j Component hence there is no impact with CVE-2021-44228 vulnerability

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2021-44228