Products

SITEMINDER

Issue/Introduction

A number of vulnerabilities have been published for Apache Log4J version 2 impacting Log4j2 2.0-beta9 through to 2.25.2

Siteminder bundles Apache Log4J2 in a number of components, including Siteminder SDK.

Log4J by Siteminder Version:

r12.8.7: Log4j 2.17.2
r12.8.8: Log4j 2.20.0
r12.8.8.1: Log4j 2.20.0
r12.9: Log4j 2.20.0

Environment

PRODUCT: Siteminder

COMPONENT: SDK

VERSION: 12.8.7; 12.8.8; 12.8.81; 12.9

OPERATING SYSTEM: Any

Cause

The following CVE has been published for log4J impacting all versions of Log4J 2.25.2 and older.

CVE-2025-68161 "Apache Log4j Core: Missing TLS hostname verification in Socket appender"

IMPACT: Medium

DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

IMPACTED: Log4J 2.0.1 - 2.25.2

REMDIATED: Log4J 2.25.3

Resolution

Update Log4J for the Siteminder SDK to Log4J 2.25.3

1) Download Log4J 2.25.3 from this KB

2) Backup of the existing Log4j2 files in your environment from the following locations:

<sdk_installation_path>\java\log4j-api-2.xx.x.jar
<sdk_installation_path>\java\log4j-core-2.xx.x.jar
<sdk_installation_path>\java\log4j-slf4j-impl-2.xx.x17.1.jar
OR
<sdk_installation_path>\java\log4j-slf4j2-impl-2.xx.x17.1.jar

3) Delete the existing log4j files from the above-mentioned location.

4) Copy the Log4j 2.25.3 files to the server and place the new jars in the following location:

<sdk_installation_path>\java\log4j-api-2.25.3 .jar
<sdk_installation_path>\java\log4j-core-2.25.3 .jar
<sdk_installation_path>\java\log4j-slf4j2-impl-2.25.3.jar

5) Update all the references of the existing 2.x log4j version with the 2.25.3 version in the class path parameter of all the custom applications that are built using SDK, and save the changes.

6) Restart the custom applications.