Log4j v1 Vulnerabilities

Log4j v1 Vulnerabilities

book

Article ID: 236308

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

The following log4j v1 vulnerabilities have been brought to our attention:

  • CVE-2019-17571 
  • CVE-2021-4104
  • CVE-2022-23302
  • CVE-2022-23305
  • CVE-2022-23307

 

Please advise if Nolio is impacted by these vulnerabilities. 

 

Environment

Release : 6.7

Component : CA RELEASE AUTOMATION CORE

 

Resolution

We have included the results of our analysis below.

Please note: 
Beside default configuration you may have some custom configuration in log4j referencing vulnerable appender classes. Henceforth, we recommend to check the log4j.properties files to ascertain it's not using any vulnerable log appender classes. Refer "Additional Information" for details on how to detect whether or not vulnerable appender's are used in your log4j.properties files. 

Scan Analysis Report

Vulnerability Component Analysis Remediation
CVE-2019-17571 - SocketServer NAC SocketServer is not used with default log4j config Not Applicable(NA)
NES SocketServer is not used with default log4j config Not Applicable(NA)
Agent SocketServer is not used with default log4j config Not Applicable(NA)
CVE-2022-23302 - JMSSink vulnerability NAC JMSSink is not used Not Applicable(NA)
NES JMSSink is not used Not Applicable(NA)
Agent JMSSink is not used Not Applicable(NA)
CVE-2021-4104 - JMSAppender vulnerability NAC JMSAppender is not used with default log4j config Not Applicable(NA)
NES JMSAppender is not used with default log4j config Not Applicable(NA)
Agent JMSAppender is not used with default log4j config Not Applicable(NA)
CVE-2022-23305 - JDBCAppender vulnerability NAC JDBCAppender is not used with default log4j config Not Applicable(NA)
NES JDBCAppender is not used with default log4j config Not Applicable(NA)
Agent JDBCAppender is not used with default log4j config Not Applicable(NA)
CVE-2022-23307 - Chainsaw component vulnerability NAC Chainsaw is not used Not Applicable(NA)
NES Chainsaw is not used Not Applicable(NA)
Agent Chainsaw is not used Not Applicable(NA)

 

Additional Information

For more information on how to search Nolio's log4j configuration files, please see the following KB article: Scanning Vulnerable appender/classes in log4j.properties