Web Agent Option Pack log4j and vulnerability CVE-2019-17571
search cancel

Web Agent Option Pack log4j and vulnerability CVE-2019-17571

book

Article ID: 232181

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

When running Web Agent Option Pack, It can be noticed that this uses log4j 1.2.8 which seems to be vulnerable to CVE-2019-17571 (1).

 

Environment

Component: Web Agent Option Pack all versions

 

Resolution

Affwebservices does not use SocketServer class from log4j jar file, hence there won't be any security issue for affwebservices.

The Web Agent Option Pack is not vulnerable to the CVE-2019-17571.

 

Additional Information

(1)   CVE-2019-17571

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571