search cancel

Log4j Vulnerability, Modify or delete the code when using the JMSAppender

book

Article ID: 232633

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

The vulnerability information of the log4j1.x version specified by the Korea Internet & Security Agency.
(https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389)

CVE-2021-4104
- 1.x version.
※ No vulnerability impact if you don't use JMSAppender

- CVE-2021-4104
· Modify or delete the code after checking to use the JMSAppender.

As above, it is stated to modify or delete the code when using the JMSAppender,

Environment

Symantec Identity manager Release : 14.4

Cause

CVE-2021-4104
· Modify or delete the code after checking to use the JMSAppender.

Resolution

Identity Manager does not use the JMSAppender class anywhere directly.

Our product does not use the class and is not vulnerable because it is not implemented. So the mere presence of the class is not a vulnerability problem and you can request a waiver from your security team; or they can direct you in removing it.

You can delete the JMSAppender class under the direction of your security team, as needed.

However, if you have done any customization or integration with that class, removing it would affect your customization.