Per CVE-2021-45105, Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

SiteMinder does not accept any external data with respect to Context Lookups. Also, SiteMinder does not use Thread Context Map (MDC) patterns with input data, which is the cause of CVE-2021-45105 that crafts malicious input data using a JNDI Lookup pattern. In addition, SiteMinder does not allow any recursive lookups as well. As a result, CVE-2021-45105 does not impact SiteMinder.

However, if you would still like to proceed to use Log4j 2.17.0, we have tested use of that version as well.

Full information, including upgrade steps, is available in section “Impact of CVE-2021-45105 on SiteMinder” via KB Article ID: 230270. 

This article can be found here:
CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability