Identity Portal: unable to install Log42j hotfix
search cancel

Identity Portal: unable to install Log42j hotfix

book

Article ID: 236129

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Portal

Issue/Introduction

Attempting to install the Identity Portal hotfix for Log4j:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-4/release-notes/Hotfixes.html#concept.dita_8d2ce000-4c6c-407c-9f46-e2efeb6404c6_JavaTimeZoneUpdate

The readme file explains how to install it:

However, there is no such folder <JBosss/Wildfly_HOME>/modules/com/ca/iam in the Identity Portal application server:

System started as 14.2  and through different upgrades is now at 14.4 level

Environment

Release : 14.4

Component : SIGMA-Identity Suite

Cause

Specific upgrade path does not include the relevant jars

Resolution

In 14.2, installer did not include the log4j2 folder.

To upgrade to 14.4, customer followed the documentation for manual deployment of the war. As such, the folder in question (<JBosss/Wildfly_HOME>/modules/com/ca/iam) was never created

Without the log4j2 jars - the system is not vulnerable and does not require The patch addresses the Apache Log4j issues (CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-44832)

There won't be any functional impact however, in the standalone.xml the database password is visible in plain text - can you please confirm this is true in your local setup (standalone XML)

The instructions to encrypt the password in the datasource can be found here 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-4/upgrading/post-upgrade-tasks.html#concept.dita_b1ad7ec376fec2bd7f956190e87f9cbb3081cdb1_EncryptDatasourcePassword

Note: following the instructions above will place the vulnerable log4j jars and therefore they should be then patched.

Powered by Wolken Software