Per CVE-2021-45046, Apache Log4j2, when the logging configuration uses a Pattern Layout with either Thread Context Message Pattern or Context Lookup Pattern, is vulnerable to a denial of service attack. The Apache organization has determined that the fix within Log4j 2.15.0 to address CVE-2021-44228 was incomplete in certain non-default configurations.
Siteminder implements Log4j2 in the default configuration and does not use Thread Context Message Pattern or Context Lookup Pattern, either of which requires explicit configuration. As a result, CVE-2021-45046 does not impact Siteminder’s default installed implementation of Log4j2. Thus, no mitigation is needed in Siteminder for this particular CVE.
As mentioned in the description, CVE-2021-45046 does not impact Siteminder’s default installed implementation of Log4j2. Thus, no mitigation is needed in Siteminder for this particular CVE.
Siteminder's log4j implementation is affected by CVE-2021-44228. Full information, including specific mitigation steps, is available via KB Article ID: 230270. This article can be found here:
CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability