Remediation for Apache Log4j Core Vulnerabilities in Identity Manager 14.5.x and 15.0
search cancel

Remediation for Apache Log4j Core Vulnerabilities in Identity Manager 14.5.x and 15.0

book

Article ID: 440463

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

Organizations running Symantec Identity Manager (IM) versions 14.5.x or 15.0 may be flagged for Apache Log4j Core vulnerabilities. Security scans typically recommend upgrading to Log4j version 2.25.4 or higher to mitigate these risks.

Environment

IM 14.5 and 15.0

Cause

Vulnerabilities within older versions of the Apache Log4j Core library (CVE-2021-44228 and others) require the replacement of specific JAR files with secure versions provided by engineering.

Resolution

For Identity Suite 15.0

The remediation is included in Fix Pack 6. It is recommended to upgrade to this version to receive the Log4j 2.25.4 updates automatically.

For Identity Manager 14.5.1 CHF2

A specific hotfix (HF_LOG4J_FIX.zip) is required to update libraries to version 2.25.4. 

Deployment Instructions

  1. Stop the Identity Manager server.
  2. Back up all existing Log4j JAR files before replacement.
  3. Deploy log4j-core-2.25.4.jar and log4j-api-2.25.4.jar to the following locations:
    • ../IAM_Suite/IdentityManager/tools/lib
    • ../IAM_Suite/IdentityManager/tools/samples/Support/IMInfo
    • ../IAM_Suite/IdentityManager/tools/SelectiveExportUtility
    • ../iam_im.ear/library
    • ../PatchDeployerTool/lib
    • ../PatchDeployerTool/patch/iam_im.ear/library
  4. Update References: Modify the following scripts to point to the new JAR versions:
    • ../IAM Suite/Identity Manager/tools/ImportExportUtility/ImportExportUtil.bat (and .sh)
    • ../IAM Suite/Identity Manager/tools/PasswordTool/pwdtools.bat (and .sh)
  5. Wildfly Modules:
    • Replace files in /modules/com/ca/iam/log4j2/core/main/ and /api/main/.
    • Update the module.xml version references to 2.25.4 in both directories.
  6. Bulk Loader: Rename the new JARs to log4j-api.jar and log4j-core.jar and replace them in ..\\CA\\Identity Manager\\Bulk Loader\\lib\\.
  7. Start the Identity Manager server. 

Important: Do not leave old copies of the JAR files in the same location with a .jar extension (e.g., .jar.bak) to avoid class-loading conflicts.

Exclusions (Components not requiring upgrade)

The following components use log4j-mitigated.jar (version 1.2.17), which has had vulnerable classes physically removed and does not require an upgrade to 2.x at this time:

  • Identity Manager Connector Server
  • Connector Xpress 
Powered by Wolken Software