The Log4j1.x is being called within the smsecurityprovider.jar and which is flagged as a vulnerability in the application from the SiteMinder Agent perspective.

When the WebLogic Server starts, it loads the smsecurityprovider.jar as the server is configured with Agent and the smsecurityproviders.jar has the log4j classes which work only with log4j1. X jar.

- Where the "log4j" class has been mapped within the ASAgent?
- Is the smsecuritypriovider.jar compiled as a part of the build?
- Or does this can be modified based on the needs?
- Does smsecurityprovider.jar can be compiled as per organization need?
- Or it should be used as provided within the product?
- While being part of the Out of the box build, is expected a new smsecurityprovider.jar JAR file?

Component and Version: 12.0-sp02-cr01
Product: ASA Agent

The log4j vulnerability is NOT applicable to the release ASA Agent 12.0-sp02-cr01.

The documentation mentions that ONLY 12.7 and 12.8 ASA Agents are impacted to the Log4j vulnerability, but NOT the 12.0-sp02-cr01 release (1).

The ASA Agent 12.0-sp02-cr01 release is an old release which uses log4j 1.x release.

It is highly recommended to upgrade or use the ASA Agent 12.8 release. The ASA Agent 12.8 will have a log4j 2.x release.

The smsecuritypriovider.jar comes with the build, and this cannot be modified based on each specific need.

Also, understand that using log4j 2.x in 12.0-sp02-cr01 release goes out of support.

There's no fix for 12.0-sp02-cr01 (like a new smsecurityprovider.jar with log4j 2.x for ASA 12.0-sp02-cr01 version) release since the late 12.8 ASA Agent (which comes with the log4j 2.x release) is available.

It is also NOT possible to extract the smsecurityproviders.jar file from the installer.

The smsecurityproviders.jar file is provided once the product installation is completed.

1. CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability
   
   https://knowledge.broadcom.com/external/article?articleId=230270