ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

log4j vulnerability remediation for apmia AWS extension

book

Article ID: 236836

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

The 10.7 SP3 APMIA release includes apmia/extensions/AWSExtension/lib/external/log4j-1.2.17.jar.

We are mandated to remediate all components with log4j jars including this version.

Does Broadcom have a workaround or upgrade available to address this?

Environment

Release : 10.7.0

Component :

Resolution

In our official communication below on log4j 1.2 vulnerability, 10.7 SP3 Agents are not affected by this because APM is using a forked and customized version of Log4j 1.2 which has been optimized and modified from the original Log4j .

1.2 and APM does not enable the SocketServer or JMSAppender classes.  This forked and customized version of Log4j 1.2 is maintained by Broadcom and does not rely on external support.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisories/Security-Advisory-CVE-2019-17571-log4j-1.2-vulnerability-and-Broadcom-CA-APM/19839