Status of AA's (Advanced Authentication's) investigation of impact (IF ANY) of CVE-2021-4104.
Release : 9.x
Component :AuthMinder(Arcot Webfort)
Reason for CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Refer to https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Advanced Authentication product (AA) is NOT vulnerable to CVE-2021-4104 although it does INCLUDE the Log4j 1.2.x version JARs because JMSAppender is not being used in AA and hence not vulnerable.
Refer to https://knowledge.broadcom.com/external/article?articleId=230301
Log4J Vulnerability, that is, beyond just this CVE-2021-4104.
Related AA KB links
1. Refer to consolidated AA KB for Log4J Vulnerability - https://knowledge.broadcom.com/external/article?articleId=230301