search cancel

If TDM is not vulnerable to Log4j Vulnerability CVE-2021-44228 why does TDM Portal still get flagged by our Security scans

book

Article ID: 242277

calendar_today

Updated On:

Products

CA Test Data Manager (Data Finder / Grid Tools)

Issue/Introduction

Our IT Security flagged the log4j vulnerability on our TDM Portal servers.  The below list of potential vulnerabilities, that our security team has identified, are all related to the TDM microservices deployed by TDM Portal. Does Broadcom have a vulnerability patch that remediates the log4j to a safe version?

JAR files flagged by our security team:

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMDataFlowService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMConnectionProfileService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMDataReservationService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMEventService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMFindReserveService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMGeneratorService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMJobService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMLegacyExecuterService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMMaskingService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMModelService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMOrchestrationService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMProjectService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMPublisherService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMvDataService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMvDataService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TestDataManager\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMMaskingService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

  • C:\Program Files\CA\CA Test Data Manager Portal\tomcat\webapps\TDMModelService\WEB-INF\lib

01/25/2022  10:44 AM           264,060 log4j-api-2.11.1.jar

01/25/2022  10:44 AM            17,524 log4j-to-slf4j-2.11.1.jar

 

 

Environment

Release : 4.9

Component : TDM Web Foundation

Resolution

 TDM is not a risk, because we do not ship the Log4j-core, which is needed for this vulnerability. 

While the log4j-api is part of the vulnerability, it is only included in spring so log4j-api call's can be adapted to slf4j (another logging framework) calls. The default logger would need to be changed to log4j and the final deployment would need to include log4j-core.jar as well. Again, not an issue. 

However, if this answer does not satisfy your security requirements, upgrading to TDM 4.10 will upgrade the version of both log4j-api and log4j-to-slf4j jar files:

  • log4j-api-2.17.1.jar
  • log4j-to-slf4j-2.14.1.jar

 

Relevant links:

More can be found here: https://logging.apache.org/log4j/2.x/security.html. Quoted from the page directly: "Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability."

Additional Information

Broadcom Advisory for the Log4j vulnerabilities listings at  https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisory/Broadcom-Enterprise-Software-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/19792.

CVE-2021-44228: Log4j Vulnerability Remediation in Test Data Manager 4.9.1 https://knowledge.broadcom.com/external/article?articleId=230297

You can download the latest TDM Portal release from https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/Test-Data-Manager-TDM-Patches/16649.