During a recent scan we indented the following concern within the latest CABI environment:

nimsoft\probes\service\wasp\webapps\cabi\web-inf\lib\jrs-rest-java-client-6.1.5-jar-with-dependencies.jar installed version : 1.2.17

Inside jrs-rest-java-client-6.1.5-jar-with-dependencies.jar there is a log4j module with version : 1.2.17

Remediation - upgrade to a version of apache log4j that is currently supported.  upgrading to the latest versions for apache log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of log4j is discovered. refer tohttps://logging.apache.org/log4j/2.x/security.html for the latest versions.

Release : 20.4

Component : UIM - CABI

1. CVE-2021-44832:
• Log4j 1.x mitigation
• Log4j 1.x is not impacted by this vulnerability.
2. CVE-2021-45105:
• Log4j 1.x mitigation
• Log4j 1.x is not impacted by this vulnerability.
3. CVE-2021-45046:
• Log4j 1.x mitigation
• Log4j 1.x is not impacted by this vulnerability.
4. CVE-2021-44228:
• Log4j 1.x mitigation
• Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

CU3 is expected to the GA by the end of June.