Is performance management exposed by CVE-2021-45105.
Only the following components are affected:
Data Collectors (21.2.2+ only)
Data Aggregators (21.2.2+ only)
Data Repository Nodes (3.7.x, 20.2.x, and 21.2.x)
The NetOps Portal and Data Aggregator Proxy are not affected.
Current Description
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.
This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
This issue was fixed in Log4j 2.17.0 and 2.12.3.
Broadcom is aware of CVE-2021-45105 - CVE-2021-45104
NetOps 21.2.6 will be shipped with log4j 2.17.0 to mitigate this vulnerability.