Symantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system.
Is VIP Authentication Hub product vulnerable to this?
Release : 1.0
Component : VIP Authentication Hub
SSP does not have an impact but Hazlecast image is vulnerable in AuthHub solution.
Apache has advised that the environment variable change is insufficient to all vulnerabilities so the article is updated to remove that information. We believe that the firewall and egress controls that are usually in place for the AuthHub deployment offers some protection for external JNDI access.
For the purposes of log4j vulnerability mitigation, the AuthHub solution has been upgraded to use log4j version 2.17, and this new 2021.Nov.03 release is now available.
CVE-2021-45046 : We have investigate this CVE as well and found no direct access to the vulnerability with how we are using log4j in the product.
CVE-2021-44832 : We have investigate this CVE as well and found no direct access to the vulnerability with how we are using log4j in the product. Auth Hub product is not vulnerable to this CVE.
Below is the link to our documentation that outlines steps to upgrade to the most recent build:
Upgrading VIP Authentication Hub