Vulnerability Apache log4j remediation and upgrade plans
search cancel

Vulnerability Apache log4j remediation and upgrade plans

book

Article ID: 253432

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) Unified Infrastructure Management for Mainframe

Issue/Introduction

Need to plan to avoid Apache log4j vulnerability in our infrastructure for UIM 

Environment

  • Release: UIM 20.3, 20.4
  • Apache log4j vulnerabilities:

  log4j-1.2.14.jar
  log4j-1.2.17.jar
  log4j-core-2.5.jar
  log4j-core-2.2.jar
  log4j-core-2.7.jar
  log4j-1.2.16.jar
  log4j-1.2.12.jar
  log4j-1.2.16.jar
  log4j-1.2.12.jar
  log4j-core-2.12.1.jar
  log4j-core-2.11.2.jar
  log4j-core-2.12.1.jar
  log4j-1.2.14.jar
  log4j-1.2.17.jar
  log4j-core-2.2.jar
  log4j-core-2.5.jar
  log4j-core-2.7.jar 

Cause

- Apache log4j security vulnerabilities reported

Resolution

For remediating Apache log4j 1.2.x and 2.12.x, 2.2x, you need to download the Cumulative patches from the below hotfix index:

https://support.broadcom.com/external/content/release-announcements/CA-Unified-Infrastructure-Management-Hotfix-Index/7233

Upgrading to UIM v20.4 CU4 should automatically remediate ALL Apache log4j vulnerabilities in UIM server and OC, e.g., Apache log4j 1.2.x and 2.12.x, 2.2x. In CU4, the listed remediated modules should auto-clear old related files.

There is one item, self-certification webapp (SNMP Device Self-Certification) if you actually have that deployed, which was not remediated just yet, but that is on our radar for a future release.

See also:
UIM and log4j2 vulnerabilities - CVE-2021-44228, CVE 2021-45046, CVE-2021-45105

Background:

  • In UIM, there was vulnerability remediation for specific probes in 20.3, then also further remediation for UIM core components in v20.4.
  • UIM 20.4 is the preferred version, as the core components were also upgraded to the latest log4j version.
Upgrade to 20.4 (advantages)

- enhanced security
- improved performance


20.4 CU5 also includes automatic cleanup of some leftover artifacts/log4j files as well.

Major release/version upgrades ensure maximum vulnerability remediation, which includes core components as well as third-party software components.

Recommendation: Upgrade UIM v20.3 to 20.4, then apply CU5

Additional Information

UIM and log4j2 vulnerabilities - CVE-2021-44228, CVE 2021-45046, CVE-2021-45105

‚ÄčIMPORTANT!

Please sign up for notifications including Security vulnerabilities at the link below:

Sign up for Proactive Notifications to receive emails regarding important notifications, updates and release information regarding your Broadcom Software.