Per CVE-2021-44832, Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1.
SiteMinder does not use JDBC Appender with a data source referencing a JNDI URL. As a result, CVE-2021-44832 does not impact SiteMinder.
However, if you would still like to proceed to use Log4j 2.17.1, we have tested use of that version as well.
Full information, including upgrade steps, is available in section “Impact of CVE-2021-44832 on SiteMinder” via KB Article ID: 230270.
This article can be found here:
CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability