EEM - Is it a possible workaroud to remove the SocketServer class and the JMSAppender class from the log4j-1.2.17 that is delivered in EEM.

search cancel

EEM - Is it a possible workaroud to remove the SocketServer class and the JMSAppender class from the log4j-1.2.17 that is delivered in EEM.

book

Article ID: 233949

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

We would like to know if it would be a possible workaroud to remove the SocketServer class and the JMSAppender class from the log4j-1.2.17 that is delivered in EEM.

Because due to their security rules those vulnerable files need to be removed from the server even if they do not use the functionality that has the vulnerability.

Environment

Release : 4.2

Component : Embedded Entitlements Manager 12.5

Cause

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Resolution

Broadcom has provided steps to remove these 2 classes from the jar files, since we do not use them.

The attached zip file has the directions.

see attached: EEM.log4j_1.x_wo_JMSAppender_SocketServer-selected.zip

Attachments

1644001466674__EEM.log4j_1.x_wo_JMSAppender_SocketServer-selected.zip get_app

Feedback

thumb_up Yes

thumb_down No