search cancel



Article ID: 233448


Updated On:


CA Application Performance Management (APM / Wily / Introscope)


Our collector, version, is showing up in a vulnerability scan for CVE-2021-44832 regarding the CA agent.  Just a matter of time before the scanner picks up the rest of our collectors on the same version.  The collector is running on Windows 2016 Datacenter with JRE release 8.0.1120.15

Do you have any information on this CVE as it relates to APM if already addressed by Broadcom or in the plans?

Broadcom and Google searches are not turning up anything regarding APM for this CVE.

I'll need a fix or an answer on how it is going to be addressed to report back to the security team.


Release : 10.7.0

Component : Introscope


APM product (server-side, 10.x and nextgen) is using the patched log4j_1.2.17-cloudera1-nonet.jar, not the log4j version 2.x, so it is not affected.

Additional Information

For AXA:

AxA team will upgrade log4j 2.x into the latest version 2.17.1 in AXA.


The Apache Foundation Log4j group published a new vulnerability report for log4j, CVE-2021-44832. This is a medium risk vulnerability (6.6 CVSS) according to Apache. At this time, Engineering should handle CVE-2021-44832 in line with regular 3rd party software vulnerability handling procedures. I am sending this email in case there is any unwarranted escalation/attention on this vulnerability due to the recent critical risk log4j CVE database entries. I expect more vulnerability reports in log4j over time, as usual.


Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.

CVE-2021-44832 Remote Code Execution
Severity Moderate
Base CVSS Score 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Versions Affected All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4



Description: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.


How to fix it

Solution - Fix Available


Fixed in versions:

The latest stable releases can be found here.


No Workaround