UIM Log4j vulnerability (CVE-2021-44832)
search cancel

UIM Log4j vulnerability (CVE-2021-44832)

book

Article ID: 231488

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Vulnerability (CVE-2021-44832) affecting Log4j Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4), vulnerable to code execution if an attacker is able to control, and modify, the contents of the logging configuration file to then point to a remote URI data source to load arbitrary Java code.

 

Environment

Release : 20.3, 20.4

Resolution

This is listed as a MEDUIM impact vulnerability, and requires that an attacker already have root/administrator access to an environment in order to enable it (which would be difficult to do in UIM even with such access).

We will update to log4j 2.17.1 (or whatever is the newest available) as part of the next normal GA release of each component.