Customer mentioned that " Log4J1.x " is being called within the " smsecurityprovider.jar " and which is flagging as a vulnerability to the application from siteminder agent perspective.
When " WebLogic " server is starting up, it is loading " smsecurityprovider.jar " as server is configured with Agent and " smsecurityproviders.jar " has log4j classes which works only with log4j1.x jar.
Here customer would like to understand where the " log4J " class has been mapped within the " ASAgent ".
Also, customer would like to confirm whether " smsecuritypriovider.jar " is compiled as a part of build or does this can be modified based on each customer need?
Does " smsecurityprovider.jar " can be compiled as per organization need or it should be used as provided within the product.
If it is PART of the OOTB build, customer expecting a new "smsecurityprovider.jar" JAR file?
ASA Agent " 12.0-sp02-cr01 "
12.7 and 12.8 ASA
- Kindly note that the log4j vulnerability is NOT applicable to the release ASA Agent " 12.0-sp02-cr01 ".
- We have also clearly mentioned in the documentation that " ONLY 12.7 and 12.8 ASA " Agents are Impacted to the Log4j vulnerability but NOT the " 12.0-sp02-cr01 " release.
Document reference:
https://knowledge.broadcom.com/external/article?articleId=230270
Kindly note that the " ASA Agent " " 12.0-sp02-cr01 " release is an old release which uses log4j 1.x release.
We highly recommend you to upgrade or use the " ASA " Agent " 12.8 " release. The reason why we are suggesting this is because the " ASA Agent 12.8 " will have a " log4j 2.x " release.
And " smsecuritypriovider.jar " comes with the build and this cannot be modified based on each customer need.
Also, kindly understand that using " log4j 2.x " in " 12.0-sp02-cr01 " release will not be accepted by the SE Engineering Team.
We do not get the FIX for " 12.0-sp02-cr01 " (New smsecurityprovider.jar with log4j 2.x for ASA " 12.0-sp02-cr01 " version) release since we have the latest 12.8 ASA agents (which comes with " log4j 2.x " release) are available.
It is not possible to provide a NIN for R12 as changing the log4j version is almost like bringing the 12.8 code into R12.
Kindly note that OOTB (Out of the Box) it is NOT possible to extract the smsecurityproviders.jar file from the Installer. You will get the smsecurityproviders.jar file once you complete the product Installation.