ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Is PAM_LOG4J_44228_45046 patch needed to be re-applied after upgrade?

book

Article ID: 237012

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM has been upgraded from 3.4.x to 4.0.1. Before upgrade, PAM_LOG4J_44228_45046 patch has been applied on 3.4.x as per KB article 230405. This hotfix addresses the flaws in the Apache Log4j library JNDI lookup mechanism - i.e., CVE-2021-44228 and CVE-2021-45046. PAM is integrated with Help Desk / Service Now platforms thus this hotfix was applied to avoid the vulnerabilities.

Is PAM_LOG4J_44228_45046 patch needed to be re-applied after upgrade to 4.0.1?

Environment

Release : 4.0.1

Component : Symantec Privileged Access Manager

Resolution

Yes, after upgrade to 4.0.1 PAM_LOG4J_44228_45046 patch is needed to be re-applied to avoid the vulnerabilities.

If you upgrade to 4.0.2, the Third Party License Acknowledgements page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-2/third-party-license-acknowledgments.html shows that 4.0.2 comes with log4j 2.17.1, the version that has all the fixes. You don't need to apply any log4j patch anymore on 4.0.2.