Identity Manager Security Concerns for Log4J 1.x version: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307
search cancel

Identity Manager Security Concerns for Log4J 1.x version: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307

book

Article ID: 235840

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

 

Our security team has brought up CVEs below that may be impacting these Log4J versions as well. I wanted to check and see if these are non-impacting to Identity Manager and the reasoning for that so I can relay back to our security team. If they are impacting, is there remediation that can be done or expected upgrades in future patches?

File Locations:

<IDM_HOME>\Bulk Loader\lib\log4j_V1.2.16
<IDM_HOME>\Connector Xpress\lib\log4j-1.2.16
<IDM_HOME>\Connector Server SDK\connectors\sdkws\resources\endpoint\war\WEB-INF\lib\log4j-1.2.15
<IDM_HOME>\Connector Server\data\cache\org.eclipse.osgi\bundles\172\1\.cp\log4j-1.2.16
<IDM_HOME>\Provisioning Server\sdk\admin\support\web30\common\lib\log4j-1.2.8
<IDM_HOME>\IAM Suite\Identity Manager\tools\SelectiveExportUtility\log4j-1.2.16
<IDM_HOME>\IAM Suite\Identity Manager\tools\Workpoint\lib\axis\log4j-1.2.8
<IDM_HOME>\IAM Suite\Identity Manager\tools\Workpoint\src\wpPPCO\WEB-INF\lib\log4j-1.2.17
<IDM_HOME>\IAM Suite\Identity Manager\tools\Workpoint\src\wpWebframe\WEB-INF\lib\log4j-1.2.17

CVEs: CVE-2022-23302,CVE-2022-23305,CVE-2022-23307

 

Environment

Identity Manager 14.4 and below

Resolution

For CVE-2022-23302 - Identity Manager is not vulnerable. - Engineering has validated that we do not use JNDI Appender,
For CVE-2022-23305 - Identity Manager is not vulnerable. - Engineering has validated that we do not use JDBC Appender,
For CVE-2022-23307 - Identity Manager is not vulnerable. - Engineering validated that we do not use the thick client to view log4j entries.


As we are not vulnerable these various JARS have been put into the development teams hands to work towards updating / removing these Jar files from the product.  


Optionally, and at your own risk, you can optionally follow the information from the below Red Hat site to remove the class files from the jar files.

https://access.redht.com/security/cve/cve-2022-23302

https://access.redhat.com/security/cve/cve-2022-23305

https://access.redhat.com/security/cve/cve-2022-23307

Ensure anything pulled from the jar files is backed up before removing any files from the out of the box provided jar files. 

Identity Manager 14.5 uses Log4j version 2.20 and no longer an issue. 

Powered by Wolken Software