Identity Governance 14.3 contains the following Log4j 1.2.x from the 3rd party Workpoint component. Is it Vulnerable against CVE2021-4140
/home//CA/RCM/Server/eurekify-jboss/Workpoint/WorkPointDesigner/lib/axis/log4j-1.2.8.jar
/home//CA/RCM/Server/eurekify-jboss/Workpoint/WorkPointDesigner/rcm/log4j-1.2.14.jar
/home//CA/RCM/Server/eurekify-jboss/Workpoint/rcm/lib/log4j-1.2.14.jar
/opt/JBoss/jboss-eap-6.4/Workpoint/WorkPointDesigner/lib/axis/log4j-1.2.8.jar
/opt/JBoss/jboss-eap-6.4/Workpoint/WorkPointDesigner/rcm/log4j-1.2.14.jar
/opt/JBoss/jboss-eap-6.4/Workpoint/rcm/lib/log4j-1.2.14.jar
/opt/JBoss/jboss-eap-6.4/Workpoint/rcm/lib/log4j-1.2.14.jar
Release : 14.3
Component : Identity Governance
FYI
For CVE4140, Log4j branch 1.x has reached end of life (EOL) status and therefore does not receive security updates. There are a few mitigation options that can be used to prevent the exploitation of CVE-2021-4104.
Do not use the JMSAppender in the Log4j configuration
Remove the JMSAppender class file (org/apache/log4j/net/
Limit OS user access to prevent an attacker from being able to modify the Log4j configuration
Identity Governance 14.3 contains Workpoint 3.5.2 does not use or configure JMSAppender or JNDIAppender and is not vulnerable to this attack.