Need to plan to avoid Apache log4j vulnerability in our infrastructure for UIM
log4j-1.2.14.jar
log4j-1.2.17.jar
log4j-core-2.5.jar
log4j-core-2.2.jar
log4j-core-2.7.jar
log4j-1.2.16.jar
log4j-1.2.12.jar
log4j-1.2.16.jar
log4j-1.2.12.jar
log4j-core-2.12.1.jar
log4j-core-2.11.2.jar
log4j-core-2.12.1.jar
log4j-1.2.14.jar
log4j-1.2.17.jar
log4j-core-2.2.jar
log4j-core-2.5.jar
log4j-core-2.7.jar
- Apache log4j security vulnerabilities reported
For remediating Apache log4j 1.2.x and 2.12.x, 2.2x, you need to download the Cumulative patches from the below hotfix index:
Upgrading to UIM v20.4 CU4 should automatically remediate ALL Apache log4j vulnerabilities in UIM server and OC, e.g., Apache log4j 1.2.x and 2.12.x, 2.2x. In CU4, the listed remediated modules should auto-clear old related files.
There is one item, self-certification webapp (SNMP Device Self-Certification) if you actually have that deployed, which was not remediated just yet, but that is on our radar for a future release.
See also:
UIM and log4j2 vulnerabilities - CVE-2021-44228, CVE 2021-45046, CVE-2021-45105
Background:
20.4 CU5 also includes automatic cleanup of some leftover artifacts/log4j files as well.
Major release/version upgrades ensure maximum vulnerability remediation, which includes core components as well as third-party software components.
Recommendation: Upgrade UIM v20.3 to 20.4, then apply CU5
UIM and log4j2 vulnerabilities - CVE-2021-44228, CVE 2021-45046, CVE-2021-45105
IMPORTANT!
Please sign up for notifications including Security vulnerabilities at the link below:
Sign up for Proactive Notifications to receive emails regarding important notifications, updates and release information regarding your Broadcom Software.