Scan of Apache log4j 2.7.0.0 files shows vulnerability for webservices_rest and uimapi on OC server
search cancel

Scan of Apache log4j 2.7.0.0 files shows vulnerability for webservices_rest and uimapi on OC server

book

Article ID: 262737

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

We need to delete the files listed below on our OC server due to a detected security vulnerability.

apache log4j 2.7.0.0 (["c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\rest\\web-inf\\lib\\log4j-core-2.7.jar",

"c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\uimapi.war",

"c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\uimapi\\web-inf\\lib\\log4j-core-2.7.jar",

"c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\webservices_rest.war"])

 

Please confirm if these can be deleted without having any impact on UIM.

Environment

  • Release: 20.3.3

Resolution

    • The vulnerability in question, CVE-2021-44832, is classified as "Medium" and for UIM is considered LOW risk.  As of 20.46, we have updated to log4j 2.17.1 as part of the regularly planned and scheduled probe updates.  No hotfixes will be released for this vulnerability per Broadcom policy, but you should update to the latest available probe versions as they are released.

    • The best approach to take at this time would be to upgrade to UIM 20.4 CU5  to take full advantage of all the DX UIM security updates. 
    • From 20.3.3, you must first upgrade to 20.4, then to 20.4 CU5.

    • The best option for upgrading is to take advantage of our weekend upgrade program. To register for the next available weekend upgrade, please click this url: https://enterprise-software.broadcom.com/weekend-upgrade-program

    • As per Broadcom Development/Engineering, the log4j-core-2.7.1 jar files should not be deleted as this will cause logging and other failures. Deleting files will cause issues in the DX UIM application and the process is not certified.