CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Clarity On Premise and Clarity SaaS

Source:

• CVE-2021-4104
• CVE-2021-45105
• CVE-2020-9488
• CVE-2022-23302
• CVE-2022-23305
• CVE-2022-23307

• Clarity is not vulnerable to CVE-2021-45105.  Log4j2 is NOT used.
• Broadcom has evaluated and recommends to upgrade log4j-2.17.0 for Jaspersoft. Information is documented in KB CVE-2021-44228 - log4j vulnerability and Clarity
• SaaS HDP/ODATA is not vulnerable to it and does not require remediation .
• Clarity is not vulnerable to CVE-2021-4104 because Clarity doesn't configure a JMS appender nor use JMS in our log4j implementation. The logger.xml configuration file is not write accessible in the SaaS environment.
• Clarity is not vulnerable to:

• • CVE-2020-9488
  • CVE-2022-23302
  • CVE-2022-23305
  • CVE-2022-23307
• The log4j version in Clarity is 2.17.2 and has been upgrade since version 16.0.2 and here is our documentation.

Log4j CVE-2021-44228 and Clarity