search cancel

Risk Authentication patch for log4shell vulnerability

book

Article ID: 257113

calendar_today

Updated On:

Products

CA Risk Authentication CA Advanced Authentication CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort)

Issue/Introduction

We are upgrading from Risk Authentication 9.1 SP2 to SP3.

As part of previous release we got the log4shell(CVE-2021-44228) patch to resolve the issue.

Do we need apply the same patch or can we get new patch for log4shell issue on version SP3?

Environment

Release : 9.1 SP3

Resolution

Based on NVD recommendation, this issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1.

Log4j 2.17.1 libraries are already packaged in 9.1 SP3. 

For more information, you can refer the section '9.1 SP3 Components' in product documentation https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/third-party-software-acknowledgments.html.