search cancel

Critical Log4J detected vulnerabilities within Enterprise Manager

book

Article ID: 258243

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

We have 21 enterprise managers, (10.7.0.252) and three remote agent hosts that had Log4J vulnerabilities 

A full description with CVS information is on the Tenable site at https://www.tenable.com/plugins/nessus/156032

 

 

Environment

Release : 10.7.0

Resolution

So let's review what was previously said 

1) The Log4J Advisory summary :

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisories/Security-Advisory-CVE-2019-17571-log4j-1.2-vulnerability-and-Broadcom-CA-APM/19839

Broadcom Engineering has determined that core APM 9.7 thru APM 10.7.x servers (Collectors/MOMs/TESS/TIM/WebView) and APM 9.7 thru APM 10.7/11.x/SaaS/20.x/21.x java based agents (i.e. Weblogic, Websphere, Tomcat, EPAgent, UMA,...) are not affected by the above CVEs because APM is using a forked and customized version of Log4j 1.2 which has been optimized and modified from the original Log4j 1.2 and APM does not enable the SocketServer or JMSAppender classes.  This forked and customized version of Log4j 1.2 is maintained by Broadcom and does not rely on external support.

2) This raises the question is APMIA a Java-based agent. Given that it is a superset of EPA AND from the opening lines in the doc, it clearly is a Java Agent.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/dx-apm-agents/SaaS/infrastructure-agent.html
Infrastructure Agent

Infrastructure Agent is a bundle of extensions and monitors that collects and sends data to the Enterprise Manager for processing. This agent contains scripts and wrappers to run a **standalone JVM process**

3) I found this KB on Data Power and Log4J. https://knowledge.broadcom.com/external/article?articleId=255463

I added 10.8 to the 2x.x mention.

Case#33335110           Infrastructure Agent                       Good to Close

    1. The IA agent 10.8 uses a custom Log4J so any findings against it are false/positives.  Once we get the DataPower agent moved to IA, we will use the same F/P discussion to do a false-positive request to our vulnerabilities team.