Are log4j 2.xx versions that are not vulnerable also certified with AA(Advanced Authentication) 8.x along with AA 9.x?
search cancel

Are log4j 2.xx versions that are not vulnerable also certified with AA(Advanced Authentication) 8.x along with AA 9.x?

book

Article ID: 231261

calendar_today

Updated On:

Products

CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Strong Authentication

Issue/Introduction

As we know that AA 8.x is not vulnerable to Log4j CVE-2021-44228, aka ‘Log4Shel vulnerability as AA 8.x versions uses Log4J  1.x version which is not vulnerable. Apache via NIST has indicated that 2.xx versions below Log4J version 2.17 are vulnerable. 

 

Environment

Release : 8.1

Component : AuthMinder(Arcot WebFort)

RiskMinder(Arcot RiskFort)

Cause

Log4J 2.xx versions below Log4J version 2.17 are vulnerable. Log4J 2.17 is not hence the question is AA 8.x certified with Log 4J 2.xx.

Resolution

Broadcom Product Management confirms that Advanced Authentication version 8.x has NOT been certified with  Log4J versions 2.xx. You may want to refer to KB article #230301 for additional information ---

https://knowledge.broadcom.com/external/article?articleId=230301.

 

Additional Information

None.

Powered by Wolken Software