ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SDK log4j jar contains vulnerable classes

book

Article ID: 238559

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running a Siteminder Agent, the Agent fails to run, reporting a
problem with ContentHelper which is unable to load, as there's a
broken dependencies :

The code seems still rely on old log4j-1.X :

    package com.netegrity.tm.contenthelper.api;
    import org.apache.log4j.Category;
    import org.apache.log4j.NDC;

Cause

 

Log4j vulnerabilities are fixed in SDK 12.8SP6a (1).

 

Environment

 

  SDK 12.0SP3CR07 Agent;

 

Resolution

 

- Upgrade your custom code to be based on SDK 12.8SP6a to solve this
  issue;

 

Additional Information

 

(1)

    Change to Existing Features in 12.8.06a
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/Changes-to-Existing-Features/changes-to-existing-features-in-12-8-06a.html