Any impact to AA of CVE-2021-4104 with respect to Log4J Vulnerability ?
search cancel

Any impact to AA of CVE-2021-4104 with respect to Log4J Vulnerability ?

book

Article ID: 230912

calendar_today

Updated On:

Products

CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

Status of AA's (Advanced Authentication's) investigation of impact (IF ANY) of CVE-2021-4104.

Environment

Release : 9.x

Component :AuthMinder(Arcot Webfort)

Cause

Reason for CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.  Refer to https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Resolution

Advanced Authentication product (AA) is NOT vulnerable to CVE-2021-4104 although it does INCLUDE the Log4j 1.2.x  version JARs because JMSAppender is not being used in AA and hence not vulnerable.

Refer to https://knowledge.broadcom.com/external/article?articleId=230301

Log4J Vulnerability, that is, beyond just this CVE-2021-4104.

 

Additional Information

Related AA KB links 

1. Refer to consolidated AA KB for Log4J Vulnerability - https://knowledge.broadcom.com/external/article?articleId=230301

Powered by Wolken Software