Our IT Security flagged the log4j vulnerability on our TDM Portal servers. The below list of potential vulnerabilities, that our security team has identified, are all related to the TDM microservices deployed by TDM Portal. Does Broadcom have a vulnerability patch that remediates the log4j to a safe version?
JAR files flagged by our security team:
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
01/25/2022 10:44 AM 264,060 log4j-api-2.11.1.jar
01/25/2022 10:44 AM 17,524 log4j-to-slf4j-2.11.1.jar
Release : 4.9
Component : TDM Web Foundation
TDM is not a risk, because we do not ship the Log4j-core, which is needed for this vulnerability.
While the log4j-api is part of the vulnerability, it is only included in spring so log4j-api call's can be adapted to slf4j (another logging framework) calls. The default logger would need to be changed to log4j and the final deployment would need to include log4j-core.jar as well. Again, not an issue.
However, if this answer does not satisfy your security requirements, upgrading to TDM 4.10 will upgrade the version of both log4j-api and log4j-to-slf4j jar files:
Relevant links:
More can be found here: https://logging.apache.org/log4j/2.x/security.html. Quoted from the page directly: "Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability."
Broadcom Advisory for the Log4j vulnerabilities listings at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisory/Broadcom-Enterprise-Software-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/19792.
CVE-2021-44228: Log4j Vulnerability Remediation in Test Data Manager 4.9.1 https://knowledge.broadcom.com/external/article?articleId=230297
You can download the latest TDM Portal release from https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/Test-Data-Manager-TDM-Patches/16649.