log4j-1.2.x flagged a critical security alert for DX APM 2x onpremise
search cancel

log4j-1.2.x flagged a critical security alert for DX APM 2x onpremise

book

Article ID: 263013

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Is there any plan to remove log4j 1.x library from APM Code?  

https://support.broadcom.com/external/content/SecurityAdvisories/Security-Advisory-CVE-2019-17571-log4j-1-2-vulnerability-and-Broadcom-CA-APM/19839

 

Environment

APM 21.x, 22.x, 23.x releases

Cause

Analysis from Engineering:

"We removed the vulnerable parts of it. We distribute a stripped version that doesn't contain the vulnerable code. 

But we understand that when a log4j 1.x library is detected by a customer it raises questions and we have a plan to remove it completely.

Server side / backend part is completed and Agent is in progress"
 
 

Resolution

None at the moment.

log4j 1.x library removal should be done completely in our next on-premise release later this year 2023 or beginning 2024

Powered by Wolken Software