AAM log4j LU04132 HOLDDATA
search cancel

AAM log4j LU04132 HOLDDATA

book

Article ID: 234531

calendar_today

Updated On:

Products

Advanced Authentication Mainframe

Issue/Introduction

Step 4 of the HOLDDATA for AAM PTF LU04132 contains the following:

If you are using CAAAMRSA factor and cannot immediately enable the
RSA SecurID Authentication API (REST) support you can continue to use              
the RSA SecurID Authentication API for C and Java (SDK) until you are              
ready. You will need to copy the RSA provided log4j-1.2.12rsa-1.jar to             
the RSA_HOME directory where authapi.jar and cryptoj.jar are located.              
Log4j is no longer provided by mfav1.jar       

Does this step need to be completed? How can a site determine if log4j is being used?

 

Environment

Release : 2.0

Component : Advanced Authentication Mainframe

Resolution

AAM is not affected by the more serious CVE 2021-44228 Vulnerability applicable to log4j 2.x.  

LU04132 contains remediation for the less severe log4j CVE-2021-4104 Vulnerability.  The PTF removes a previously bundled Log4j v1.2.17 in mfav1.jar. If a site is not using RSA SecurID Authentication/CAAMRSA factor, then this process can be ignored. This is the only portion of AAM that was affected by the less severe log4j Vulnerability.

This version of log4j is used by RSA SDK code. The last step in the HOLDDATA indicates that if using the CAAAMRSA factor for RSA SecurID Authentication, either the REST API functionality will need to be activated instead of using the SDK or you the manual configuration step will need to be performed as indicated in the HOLDDATA. We strongly encourage moving to the REST API as soon as possible as the SDK has been depreciated. If moving to the REST API, the steps detailed below do not need to be completed.    

To continue using the SDK:

  • The log4j file mentioned in the HOLDDATA will need to be obtained from RSA. Here is a direct link to the download location of the deprecated RSA API/SDK files: RSA SecurID Downloads

Note: RSA Link account credentials are required to access the archive.

  • Download RSA SecurID Authentication Agent API 8.6 Download for Java. The needed log4j file will be in the lib directory.

  • FTP this file to the mainframe and place it in the AAM USS directory alongside the authapi.jar and cryptoj.jar.

 

Additional Information