search cancel

Impact of CVE-2021-45046 on Siteminder

book

Article ID: 230654

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Per CVE-2021-45046, Apache Log4j2, when the logging configuration uses a Pattern Layout with either Thread Context Message Pattern or Context Lookup Pattern, is vulnerable to a denial of service attack. The Apache organization has determined that the fix within Log4j 2.15.0 to address CVE-2021-44228 was incomplete in certain non-default configurations.

Siteminder implements Log4j2 in the default configuration and does not use Thread Context Message Pattern or Context Lookup Pattern, either of which requires explicit configuration. As a result, CVE-2021-45046 does not impact Siteminder’s default installed implementation of Log4j2.  Thus, no mitigation is needed in Siteminder for this particular CVE.

 

Resolution

As mentioned in the description, CVE-2021-45046 does not impact Siteminder’s default installed implementation of Log4j2.  Thus, no mitigation is needed in Siteminder for this particular CVE.

Siteminder's log4j implementation is affected by CVE-2021-44228.  Full information, including specific mitigation steps, is available via KB Article ID: 230270.  This article can be found here:
CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability