ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Is PAM_LOG4J_44228_45046 patch needed to be re-applied after upgrade?


Article ID: 237012


Updated On:


CA Privileged Access Manager (PAM)


PAM has been upgraded from 3.4.x to 4.0.1. Before upgrade, PAM_LOG4J_44228_45046 patch has been applied on 3.4.x as per KB article 230405. This hotfix addresses the flaws in the Apache Log4j library JNDI lookup mechanism - i.e., CVE-2021-44228 and CVE-2021-45046. PAM is integrated with Help Desk / Service Now platforms thus this hotfix was applied to avoid the vulnerabilities.

Is PAM_LOG4J_44228_45046 patch needed to be re-applied after upgrade to 4.0.1?


Release : 4.0.1

Component : Symantec Privileged Access Manager


Yes, after upgrade to 4.0.1 PAM_LOG4J_44228_45046 patch is needed to be re-applied to avoid the vulnerabilities.

If you upgrade to 4.0.2, the Third Party License Acknowledgements page shows that 4.0.2 comes with log4j 2.17.1, the version that has all the fixes. You don't need to apply any log4j patch anymore on 4.0.2.