ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Looking for log4j upgrade in patch, being flagged for Security Scan

book

Article ID: 238849

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Security scan is flagging the following two log4j jars on an APM 10.7 installation with "Apache Log4j 1.2 Remote Code Execution Vulnerability" & "EOL/Obsolete Software: Apache Log4j 1.X Detected":

./APMSqlServer/repo/log4j-1.2.17-1.jar

./product/enterprisemanager/configuration/org.eclipse.osgi/bundles/213/1/.cp/WebContent/WEB-INF/lib/log4j-1.2.9.jar

Does a patch upgrade these versions?

Can they be removed from the system? 

 

Environment

Release : 10.7.0

Component :

Resolution

This is straight from the Advisory:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisories/Security-Advisory-CVE-2019-17571-log4j-1.2-vulnerability-and-Broadcom-CA-APM/19839

./APMSqlServer/repo/log4j-1.2.17-1.jar

  • Broadcom Engineering has determined that the external APMSQL Server bundle available as an additional download for APM 10.5 and 10.7 uses an affected version of the Log4j 1.2 and it's use should be discontinued.  To replace this functionality, please use the built-in APM RestAPI instead.  Please refer to the APM documenation usage of the APM RestAPI to remotely query/download APM metrics over http/https connections.

So you should be able remove apmsql server

./product/enterprisemanager/configuration/org.eclipse.osgi/bundles/213/1/.cp/WebContent/WEB-INF/lib/log4j-1.2.9.jar

  • Broadcom Engineering has determined that core APM 9.7 thru APM 10.7.x servers (Collectors/MOMs/TESS/TIM/WebView) and APM 9.7 thru APM 10.7/11.x/SaaS/20.x/21.x java based agents (i.e. Weblogic, Websphere, Tomcat, EPAgent, UMA,...) are not affected by the above CVEs because APM is using a forked and customized version of Log4j 1.2 which has been optimized and modified from the original Log4j 1.2 and APM does not enable the SocketServer or JMSAppender classes.  This forked and customized version of Log4j 1.2 is maintained by Broadcom and does not rely on external support.

I sent your response over to my security team. You can close the request.

I deleted the APMSQL Server jar.