search cancel

Vulnerability Apache log4j remediation and upgrade plans

book

Article ID: 253432

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) Unified Infrastructure Management for Mainframe

Issue/Introduction

With reference to the Case 33257008 - since its high security need to fix the issue in priority so we need to have a session to plan to avoid Apache vulnerability in our infrastructure. 

Environment

  • Release: UIM 20.3, 20.4
  • Apache log4j vulnerabilities:

  log4j-1.2.14.jar
  log4j-1.2.17.jar
  log4j-core-2.5.jar
  log4j-core-2.2.jar
  log4j-core-2.7.jar
  log4j-1.2.16.jar
  log4j-1.2.12.jar
  log4j-1.2.16.jar
  log4j-1.2.12.jar
  log4j-core-2.12.1.jar
  log4j-core-2.11.2.jar
  log4j-core-2.12.1.jar
  log4j-1.2.14.jar
  log4j-1.2.17.jar
  log4j-core-2.2.jar
  log4j-core-2.5.jar
  log4j-core-2.7.jar 

Cause

- Apache log4j security vulnerabilities reported

Resolution

For remediating Apache log4j 1.2.x and 2.12.x, 2.2x, you need to download the Cumulative patches from the below hotfix index:

https://support.broadcom.com/external/content/release-announcements/CA-Unified-Infrastructure-Management-Hotfix-Index/7233

Upgrading to UIM v20.4 CU4 should automatically remediate ALL Apache log4j vulnerabilities in UIM server and OC, e.g., Apache log4j 1.2.x and 2.12.x, 2.2x. In CU4, the listed remediated modules should auto-clear old related files.

There is one item, self-certification webapp (SNMP Device Self-Certification) if you actually have that deployed, which was not remediated just yet, but that is on our radar for a future release.

See also:
UIM and log4j2 vulnerabilities - CVE-2021-44228, CVE 2021-45046, CVE-2021-45105
https://knowledge.broadcom.com/external/article?articleId=230333

Background:

  • In UIM, there was vulnerability remediation for specific probes in 20.3, then also further remediation for UIM core components in v20.4.
  • UIM 20.4 is the preferred version, as the core components were also upgraded to the latest log4j version.
Upgrade to 20.4 (advantages)

- enhanced security
- improved performance


20.4 CU5 also includes automatic cleanup of some leftover artifacts/log4j files as well.

Major release/version upgrades ensure maximum vulnerability remediation, which includes core components as well as third-party software components.

Recommendation: Upgrade UIM v20.3 to 20.4, then apply CU5

Additional Information

UIM and log4j2 vulnerabilities - CVE-2021-44228, CVE 2021-45046, CVE-2021-45105
https://knowledge.broadcom.com/external/article?articleId=230333

‚ÄčIMPORTANT!

Please sign up for notifications including Security vulnerabilities at the link below:

Sign up for Proactive Notifications to receive emails regarding important notifications, updates and release information regarding your Broadcom Software.