Symantec IGA 14.4 is shipped with log4j 1.x libraries.
The following vulnerabilities reported on Apache log4j 1.x:
CVE-2021-44832, CVE-2022-23307, CVE-2019-17571, CVE-2021-4104, CVE-2020-9488, and CVE-2023-26464
Apart from that Apache Log4j 1.x libraries already reached end of life.
Is IGA affected by these vulnerabilities?
When the libraries shipped with IGA will be upgraded?
Release : 14.4
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
IGA core application or it's dependent tools are not impacted by the vulnerabilities that exist in Apache log4j-1.x version.
It is due to the fact that IGA doesn't use any of the vulnerable classes/tools of log4j-1.x library.
1. CVE-2021-44832: IGA doesn't use JDBCAppender packaged in log4j, hence there's no possibility of SQL Injection through Remote Code Execution (RCE).
2. CVE-2022-23307: IGA doesn't use Apache Chainsaw tool packaged in log4j, hence there's no possibility of malicious code execution.
3. CVE-2019-17571: IGA doesn't open up SocketServer to listen to external sources, hence there's no possibility of Remote Code (RCE).
4. CVE-2021-4104: IGA doesn't use JMSAppender, hence there's no possibility of untrusted data de-serialization issue.
5. CVE-2020-9488: IGA doesn't use SMTP Appender
6. CVE-2023-26464: IGA doesn't use SocketAppender
IGA core applications had already upgraded to leverage log4j-2.x latest version as part of IGA's v14.4.1.
IGA will remove log4j-1.x library references/dependency in the standalone tools or in the third party dependencies in it's upcoming release v14.4.3.