Log4j vulnerability patches provided for Advanced Authentication 9.1.x contain references to un-remediated JAR files in risk-restapi.war
search cancel

Log4j vulnerability patches provided for Advanced Authentication 9.1.x contain references to un-remediated JAR files in risk-restapi.war

book

Article ID: 231382

calendar_today

Updated On:

Products

CA Advanced Authentication CA Risk Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort)

Issue/Introduction

Log4j vulnerability patches provided for AA 9.1.x  still allow a "risk-restapi.war" file (in <ARCOT_HOME>\java\webapps) that uses un-remediated Log4J JAR files with versions older than the recommended version Log4j 2.17.

Environment

Release : 9.1.x

Component : RiskMinder ( Arcot Riskfort) CA Risk Authentication

Cause

In 9.1.x that is patched for Log4J vulnerability, the "risk-restapi,war" file (in <ARCOT_HOME>\java\weapps) sill make references to un-remediated Log4J JAR files with versions older than the recommended version Log4j 2.17.

Resolution

In the latest versions, please use aa-restapi.war, which is a cumulative WAR  to use for AA REST API. The "risk-restapi,war" is carried over from older releases and should not be deployed/used. Refer to this AA document link - https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/release-notes-9-1/deprecated-components.html. This link calls out old Risk REST APIs as deprecated.

Additional Information

Deprecated components for Advanced Authentication

Attachments

Powered by Wolken Software