Log4j Version 1.x
CVE-2017-5645, CVE-2019-17571
- Remove the claawRemove SocketServer.class and SocketAppender.class from your jar files
- Ensure you do not run a log4j SocketServer, and your log4j configuration does not use a SocketAppendeR
CVE-2020-9488
- Remove SMTPAppender.class and SMTPAppender$1.class files from your jar files
- Ensure your log4j configuration does not use a SMTPAppender
CVE-2021-4104, CVE-2021-44228
- Remove JMSAppender.class from your jar files
- Ensure your log4j configuration does not use JMSAppender
Release : 12.0.01
Component : WA AE/AUTOSYS RELATED Embedded Entitlement Manager
Broadcom's engineering team confirmed that these classes are not being used by the product and so it is not affected by any of aforementioned CVEs. The procedure is provided below to get rid of these classes from all the EEM related jar files in the Autosys environments.
For the EEM bundled with Autosys R12.0.01, the affected classes from the EEM libraries(jars) can be safely removed.
Following are instructions -
- Stop all the services.
- Take a backup of the product install directory (/opt/CA/).
Run the following commands to remove the classes (SocketServer, JMSAppender, SMTPAppender.class, SMTPAppender$1.class) from the jar files.
EEM Server - To be executed on EEM server(s) -
zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/bin/eiam-clustersetup.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/bin/safeauditimport.jar org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SMTPAppender\$1.class org/apache/log4j/net/SMTPAppender.class org/apache/log4j/net/SocketServer.class
zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/lib/jars/log4j-1.2.5.jar org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SMTPAppender.class org/apache/log4j/net/SocketServer.class
zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/lib/jars/eiam-log4j-1.2.15.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d /opt/CA/SharedComponents/EmbeddedEntitlementsManager/uninstall/uninstaller.jar com/ca/eiam/log4j/net/SocketServer.class
Autosys(EEM SDK) - To be executed on all the Autosys servers and the webservers(AEWS) -
zip -q -d /opt/CA/WorkloadAutomationAE/autosys/install/JARS/Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d /opt/CA/WorkloadAutomationAE/autosys/install/webserver/AEWS/WEB-INF/lib/Safe.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d /opt/CA/WorkloadAutomationAE/autouser.PRD/webserver/webapps/AEWS/WEB-INF/lib/Safe.jar com/ca/eiam/log4j/net/SocketServer.class
WebUI(EEM SDK) - To be executed on WebUI (aka WCC) server -
zip -q -d /opt/CA/WorkloadAutomationAE/wcc/tomcat/webapps/asi/WEB-INF/lib/Safe.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d /opt/CA/WorkloadAutomationAE/wcc/tomcat/lib/eem-safex-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d /opt/CA/WorkloadAutomationAE/wcc/bin/lib/eem-safex.jar com/ca/eiam/log4j/net/SocketServer.class
Kindly run it in the lower environments before running it in critical production servers.
https://knowledge.broadcom.com/external/article/230309/cve202144228-log4j-vulnerability-and-au.html