Is Performance Management affected by vulnerabilities CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 ?
search cancel

Is Performance Management affected by vulnerabilities CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 ?

book

Article ID: 233920

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Is NetOps Performance Management 21.2.x affected by these log4j 1 vulnerabilities ? 

CVE-2022-23302: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302

CVE-2022-23305: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305

CVE-2022-23307: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307

Environment

Release : 21.2

Component : PM Web UI Admininistration/Configuration

Resolution

Performance Management 21.2.x is not affected by these vulnerabilities as it doesn't use any of the vulnerable class and appenders mentioned in the CVE's (JMSSink, JDBCAppender, SocketAppender).

Additional Information

See the following for log4 versions used by Netops version.

https://knowledge.broadcom.com/external/article?articleId=235074