Details:

  Path              : /spectrum/lib/log4j.jar

  Installed version : 1.2.8"         A logging library running on the remote host is no longer supported.   

"According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities."          

"Upgrade to a version of Apache Log4j that is currently supported.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions."

Release : 21.2.x

The version indicated here is related to Visibrokers product shipped with DX Netops Spectrum.

Broadcom does not own this version and cannot update it without Visibroker.

Broadcom requires Visibroker to update this version of Log4J.

If debug options are to never be used, this JAR file can be deleted:

https://knowledge.broadcom.com/external/article?articleId=235901

In a response from Visibroker on the topic:

Our Product Engineering team have reviewed these items as well.

CVE-2022-23307

This relates to the Log4J Chainsaw viewer. As this is not shipped with VisiBroker, VisiBroker is not impacted in any way.

CVE-2022-23302 & CVE-2022-23305

These relate to Log4J appenders not used by VisiBroker by default. By default, VisiBroker uses the Log4J File appender. As such, these vulnerabilities will only be relevant if the customer creates explicit configuration that causes these non-default appenders be used.

CVE-2019-17571

This relates to a SocketServer class, which is again not used by VisiBroker by default.

In short, none of the above vulnerabilities are relevant to VisiBroker out-of-the-box.  Additionally,  Log4J 2 requires a minimum JRE version of 1.7. As such, Log4J 2 support will require a significant update for customers running on older platforms. We are carefully monitoring the situation with this vulnerability ensuring that our customers are not impacting.  At this time, our CORBA solutions do not appear vulnerable from a standard configuration of our products.

Viskibroker has plans to release/ship updated version of Log4J in October 2022.

This logging is only used to activate CORBA tracing in Spectrum.  It is enabled from the OneClick side through tomcat/webapps/spectrum/META-INF/context.xml

vbroker.log.enable=false

There is also an entry on the SpectroSERVER side in the $SPECROOT/Jcorbarc file which is disabled by default

#vbroker.log.enable=true

However, if debug is not to be used - this JAR file can be safely deleted.  It is only used for CORBA debug.