Web Agent Option Pack log4j and vulnerability CVE-2019-17571
search cancel

Web Agent Option Pack log4j and vulnerability CVE-2019-17571

book

Article ID: 232181

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running Web Agent Option Pack, it can be noticed that this 
uses log4j 1.2.8 which seems to be vulnerable to CVE-2019-17571 (1).

 

Environment

 

Web Agent Option Pack all versions

 

Resolution

 

Affwebservices does not use SocketServer class from log4j jar file,
hence there won't be any security issue for affwebservices.

The Web Agent Option Pack is not vulnerable to the
CVE-2019-17571.

 

Additional Information

 

(1)

    CVE-2019-17571

      Included in Log4j 1.2 is a SocketServer class that is vulnerable to
      deserialization of untrusted data which can be exploited to remotely
      execute arbitrary code when combined with a deserialization gadget
      when listening to untrusted network traffic for log data. This
      affects Log4j versions up to 1.2 up to 1.2.17.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

 

Powered by Wolken Software