CVE-2019-17571 - Is CA Embedded Entitlements Manager(EEM) affected by this vulnerability?
search cancel

CVE-2019-17571 - Is CA Embedded Entitlements Manager(EEM) affected by this vulnerability?

book

Article ID: 230854

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

Is EEM exposed by this vulnerability - CVE-2019-17571

Are any steps need to remediate?

Environment

CA Embedded Entitlements Manager(EEM)

All Supported Versions

Cause

CVE-2019-17571 Detail

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

 

Resolution

EEM 12.6.4 now ships with 2.17.1 to remediate vulnerabilities.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/release-notes/CA-Embedded-Entitlements-Manager-12-6-4-0-Release-Notes.html#concept.dita_132e98df-e066-4fe1-bcc6-cccd666ea02a_FixedIssues

 

This vulnerability is specific to the SocketServer class in the Log4j library.

Although the SOI ships the 1.x version of Log4j, the Log4j capability to access remote logs through its SocketServer class (where the vulnerability exists) is not enabled.

Therefore, EEM is not impacted by CVE-2019-17571.

No steps needed.

Additional Information

EEM 12.6.4 now ships with 2.17.1 to remediate vulnerabilities.

 

 

 

https://nvd.nist.gov/vuln/detail/CVE-2019-17571

 

CVE-2019-17571 - Is Service Operations Insight (SOI) affected by this vulnerability?

https://knowledge.broadcom.com/external/article/230849/

 

Powered by Wolken Software