CVE-2021-44832 log4j vulnerability for CA Service Management
Article ID: 231395
Updated On:
Products
Issue/Introduction
CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
In accordance with CVE-2021-44832 updated 12/29/2021, log4j must be upgraded to version2.17 or higher.
SDM v17.3.11 was built with log4j 2.16.
Is CA Service Management affected by the above vulnerability and will there be a patch or workaround for installing log4j 2.17?
Environment
Release : 17.3
Component : SDM - Vulnerability
Resolution
The CASM product does not use JDBC Appender and are not vulnerable or affected by the above.
Even though none of the CASM products are vulnerable, Dev/SE does plan to upgrade vulnerable log4j jar files to version 2.17.1 in the next RU cycle, for 17.2 and 17.3.
Additional Information
The tentative release date for these RU updates is early Feb, 2022.
The LOG4J 2.17.1 update will only be provided via the RU patches. A test fix outside of the RU patches to provide LOG4J 2.17.1 will NOT be available.
See also the following link which describes:
CVE-2021-44228 - Critical
Base CVSS Score: 10.0
Vector String - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046 - Critical
Base CVSS Score: 9.0
Vector String - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45105 - High
Base CVSS Score: 7.5
Vector String - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-4104 - High
Base CVSS Score: 8.1
Vector String - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Feedback
