Critical Log4J detected vulnerabilities within Enterprise Manager
Article ID: 258243
Updated On:
Products
Issue/Introduction
We have 21 enterprise managers, (10.7.0.252) and three remote agent hosts that had Log4J vulnerabilities
A full description with CVS information is on the Tenable site at https://www.tenable.com/plugins/nessus/156032
Environment
Release : 10.7.0
Resolution
So let's review what was previously said
1) The Log4J Advisory summary :
Broadcom Engineering has determined that core APM 9.7 thru APM 10.7.x servers (Collectors/MOMs/TESS/TIM/WebView) and APM 9.7 thru APM 10.7/11.x/SaaS/20.x/21.x java based agents (i.e. Weblogic, Websphere, Tomcat, EPAgent, UMA,...) are not affected by the above CVEs because APM is using a forked and customized version of Log4j 1.2 which has been optimized and modified from the original Log4j 1.2 and APM does not enable the SocketServer or JMSAppender classes. This forked and customized version of Log4j 1.2 is maintained by Broadcom and does not rely on external support.
2) This raises the question is APMIA a Java-based agent. Given that it is a superset of EPA AND from the opening lines in the doc, it clearly is a Java Agent.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/dx-apm-agents/SaaS/infrastructure-agent.html
Infrastructure Agent
Infrastructure Agent is a bundle of extensions and monitors that collects and sends data to the Enterprise Manager for processing. This agent contains scripts and wrappers to run a **standalone JVM process**
3) I found this KB on Data Power and Log4J. https://knowledge.broadcom.com/external/article?articleId=255463
I added 10.8 to the 2x.x mention.
Case#33335110 Infrastructure Agent Good to Close
-
- The IA agent 10.8 uses a custom Log4J so any findings against it are false/positives. Once we get the DataPower agent moved to IA, we will use the same F/P discussion to do a false-positive request to our vulnerabilities team.
Feedback
