ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability

book

Article ID: 230270

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

Update History

Major Changes

Date of Change

Added information on how to upgrade to log4j 2.17.1.

01/03/2022

Updated information about the impact of CVE-2021-44832 on SiteMinder (no impact).

 

12/31/2021

Updated information about the impact of CVE-2021-45105 on SiteMinder (no impact).

Added information about log4j-api jar file that is shipped with Management Console of Administrative UI.

12/20/2021

Added information about the impact of CVE-2021-45105 on SiteMinder (Investigation in-progress).

Added information on how to upgrade to log4j 2.17.0.

12/19/2021

Added information on taking a backup and deleting the org.apache.logging.log4j-log4j-api-<existing_version>.jar and org.apache.logging.log4j-log4j-core-<existing_version>.jar files on Administrative UI of Releases 12.8 through 12.8.03

12/17/2021

Deprecated Solution Option #1 (modification of setting LOG4J_FORMAT_MSG_NO_LOOKUPS to true) per Apache’s latest remediation guidance.

12/16/2021

Added information about the impact of CVE-2021-45046 on SiteMinder (no impact).

Added information on how to upgrade to log4j 2.16.0 if required.

Restructured the Solution Option #2 content to categorize the information based on components.

12/15/2021

Added information to mitigate or resolve the vulnerability on ASA and APS too.

Added information on how to update the log4j-web-2.15.0.jar for AuthAz web services, CHS, session assurance, and proxy UI.

12/14/2021

Added information to mitigate or resolve the vulnerability on all components except ASA and APS.

12/13/2021

 

Any 2.x Log4j version prior to 2.15.0, i.e. all versions from 2.0-beta9 to 2.14.1, are subject to a remote code execution vulnerability via the LDAP JNDI parser. The issue description as per Apache's Log4j security guide is:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default.

However, the fix within Log4j 2.15.0 to address CVE-2021-44228 was incomplete in certain non-default configurations. Per CVE-2021-45046, Apache Log4j2, when the logging configuration uses a Pattern Layout with either Thread Context Message Pattern or Context Lookup Pattern, is vulnerable to a denial of service attack.

 

Environment

Currently Supported SiteMinder Components Impacted

  • 12.8.x Policy Server
  • 12.8.x Administrative UI
  • 12.8.x Access Gateway
  • 12.8.x SDK
  • 12.7 and 12.8 ASA Agents

(Not impacted, but mentioned here for completeness, are SiteMinder Web Agents, SiteMinder Web Agent Option Packs, SiteMinder Agent for SharePoint, SiteMinder ERP Agents, and Advanced Password Services.)

The following table summarizes the impact of both the vulnerabilities on SiteMinder:

Apache Log4j Vulnerability

Impacts SiteMinder?

CVE-2021-44228

Yes

CVE-2021-45046

No

CVE-2021-4104

No

CVE-2021-45105

No

CVE-2021-44832

No

Resolution

As the vulnerable versions of log4j are shipped with the product installers, Broadcom recommends you upgrade the existing log4j version in your environment to log4j 2.15.0 or 2.16.0. Upgrading to 2.15.0 or 2.16.0 will resolve the CVE-2021-44228 vulnerability in your environment.

Important! In a recent update to the guidance for remediation of CVE 2021-44228, Apache   has added this commentary that highlights additional attack vectors that circumvent the previously provided manual configuration mitigation guidance

Older (discredited) mitigation measures:

This page previously mentioned other mitigation measures, but we discovered that these measures only limit exposure while leaving some attack vectors open.

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar using the zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class command.

SiteMinder’s internal testing confirmed the recommendation by Apache. For this reason, the SiteMinder team is fully deprecating the modification of the LOG4J_FORMAT_MSG_NO_LOOKUPS setting to true as a method of protection against CVE 2021-44228. Our current guidance to resolve the vulnerability is to perform one of the following options:

1) Upgrade the existing log4j version to 2.15.0

2) Upgrade the existing log4j version to 2.16.0 (as described under the Impact of CVE-2021-45046 on SiteMinder section).

3) Upgrade the existing log4j version to 2.17.0 (as described under the Impact of CVE-2021-45105 on SiteMinder section).

4) Upgrade the existing log4j version to 2.17.1 (as described under the Impact of CVE-2021-44832 on SiteMinder section).

 

Upgrade the existing log4j version in your environment to log4j 2.15.0

This procedure ensures that your SiteMinder environment is protected from CVE-2021-44228 with an upgrade to the latest, secure log4j version. A security scan will not report the latest log4j libraries as vulnerable.

1. Download the log4j 2.15.0 jar files from the following Apache repository links:

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/log4j-api-2.15.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.15.0/log4j-slf4j-impl-2.15.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-web/2.15.0/log4j-web-2.15.0.jar

2. Copy the following jars onto the Policy Server, Administrative UI, Access Gateway, and SDK machines:

  • log4j-api-2.15.0.jar
  • log4j-core-2.15.0.jar
  • log4j-slf4j-impl-2.15.0.jar
  • (Additional file for Access Gateway) log4j-web-2.15.0.jar

3. Perform the following steps to place the new log4j 2.15.0 jars in each applicable component:

Policy Server:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

b) Stop Policy Server.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

e) After copying the jars in the jars folder as described in the previous step, rename the jars to remove the log4j version from the filenames.

Example:

  • log4j-api.jar
  • log4j-core.jar
  • log4j-slf4j-impl.jar

f) Open the JVMOptions.txt file at <siteminder_installation_home>/config, update all the references of the existing log4j versions with the 2.15.0 version in the -Djava.class.path parameter, and save the changes.

g) Navigate to <siteminder_installation_home>/bin, and update all the references of the existing log4j versions in the following tools:

    • smkeytool.bat/smkeytool.sh
    • smfedexport.bat/smfedexport.sh
    • smfedimport.bat/smfedimport.sh

h) Start Policy Server.

 

Administrative UI:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:

      1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
      2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
  • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:

      1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
      2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
  • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library

From Release 12.8 through 12.8.03, only one log4j version exists in the library folder. However, from Release 12.8.04 or later, two versions of the log4j files exist in this folder; take a backup of both the versions.

  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main
  • (Only for Release 12.8.04 or later) Take a backup of the module.xml files that are located at <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main and <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main respectively.
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib\log4j-api-<existing_version>.jar.

b) Stop Administrative UI.

c) Delete the existing log4j files from the above-mentioned locations.

(Additional step on Release 12.8 through 12.8.03) Delete the org.apache.logging.log4j-log4j-api-<existing_version>.jar and org.apache.logging.log4j-log4j-core-<existing_version>.jar files from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

d) Place the new jars in the following locations:

  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib. Then, duplicate the log4j-api-2.15.0.jar and log4j-core-2.15.0.jar files with the following names and place them in the same folder:

    • log4j-log4j-api-2.15.0.jar
    • log4j-log4j-core-2.15.0.jar

 At the end of this step, the lib folder must contain the following files:

    • log4j-api-2.15.0.jar
    • log4j-core-2.15.0.jar
    • log4j-log4j-api-2.15.0.jar
    • log4j-log4j-core-2.15.0.jar
    • log4j-slf4j-impl-2.15.0.jar
  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy the log4j-slf4j-impl-2.15.0.jar file in  <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib. Then, copy the log4j-api-2.15.0.jar and log4j-core-2.15.0.jar files with the following names in the same folder:

    • log4j-log4j-api-2.15.0.jar
    • log4j-log4j-core-2.15.0.jar

         At the end of this step, the lib folder must contain the following files:

    • log4j-log4j-api-2.15.0.jar
    • log4j-log4j-core-2.15.0.jar
    • log4j-slf4j-impl-2.15.0.jar
  • Copy only log4j-api-2.15.0.jar and log4j-core-2.15.0.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.15.0.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-core-2.15.0.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.15.0.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib.

e) (Only for Release 12.8.04 or later) In the module.xml file that is present in the following locations, update the log4j version to 2.15.0 and save the changes:

  • <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main

f) Start Administrative UI.

 

Access Gateway:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <accessgateway_installation_path>\Tomcat\thirdparty
  • <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib

b) Stop Access Gateway.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • Copy all the files except log4j-web-2.15.0.jar in <accessgateway_installation_path>\Tomcat\thirdparty.
  • (Release 12.8.04 or later) Copy all the files in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all the files except log4j-web-2.15.0.jar in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

  • Copy only log4j-web-2.15.0.jar in <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib.
  • Copy only log4j-web-2.15.0.jar in <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib.
  • Copy only log4j-web-2.15.0.jar in <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib.

e) Start Access Gateway.

 

SDK

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <sdk_installation_path>\java

b) Delete the existing log4j files from the above-mentioned location.

c) Place the new jars in the following location:

  • <sdk_installation_path>\java

d) Update all the references of the existing 2.x log4j version with the 2.15.0 version in the class path parameter of all the custom applications that are built using SDK, and save the changes.

e) Restart the custom applications.

 

ASA Agents

SiteMinder Agent for Oracle WebLogic Server 12.7 and 12.8

a) Stop WebLogic application server.

b) Navigate to <wl_installation_path>/wlserver/server/lib and take a backup of the existing log4j jars:

    • log4j-core-<existing_version>.jar
    • log4j-api-<existing_version>.jar

c) Navigate to the bin folder for the domain created in WebLogic application server.

d) Take a backup of the startWebLogic.cmd/startWebLogic.sh file.

e) Open the existing startWebLogic.cmd/startWebLogic.sh file, and update the existing log4j version to the 2.15.0 version in the following values of the SMASA_CLASSPATH

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

Example:

log4j-api-2.15.0.jar and log4j-core-2.15.0.jar

f) Save the changes.

g) Start WebLogic application server.

 

SiteMinder Agent for IBM WebSphere 12.8

IBM WebSphere for Liberty

a) Stop WebSphere application server.

b) Navigate to <wlp_installation_path>/usr/servers/lib/global.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.15.0.jar
    • log4j-core-2.15.0.jar

Example:

log4j-api-2.15.0.jar and log4j-core-2.15.0.jar 

e) Start WebSphere application server.

 

IBM WebSphere

a) Stop WebSphere application server.

b) Navigate to <websphere_home>/lib/ext.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.15.0.jar
    • log4j-core-2.15.0.jar

Example:

log4j-api-2.15.0.jar and log4j-core-2.15.0.jar 

e) Start WebSphere application server.

 

Impact of CVE-2021-45046 on SiteMinder

Per CVE-2021-45046, Apache Log4j2, when the logging configuration uses a Pattern Layout with either Thread Context Message Pattern or Context Lookup Pattern, is vulnerable to a denial of service attack. The Apache organization has determined that the fix within Log4j 2.15.0 to address CVE-2021-44228 was incomplete in certain non-default configurations.

SiteMinder implements Log4j2 in the default configuration and does not use Thread Context Message Pattern or Context Lookup Pattern, either of which requires explicit configuration. As a result, CVE-2021-45046 does not impact SiteMinder’s default installed implementation of Log4j2. You can continue to use either of the above described, previously provided solutions in this article to mitigate CVE-2021-44228.

However, if you would still like to proceed to use Log4j 2.16.0 instead of 2.15.0, we have tested use of that version as well and offer the following steps to upgrade the existing Log4j version in your environment to Log4j 2.16.0.

Upgrade the existing log4j version in your environment to log4j 2.16.0

1. Download the log4j 2.16.0 jar files from the following Apache repository links:

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/log4j-core-2.16.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.16.0/log4j-slf4j-impl-2.16.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-web/2.16.0/log4j-web-2.16.0.jar

2. Copy the following jars onto the Policy Server, Administrative UI, Access Gateway, and SDK machines:

  • log4j-api-2.16.0.jar
  • log4j-core-2.16.0.jar
  • log4j-slf4j-impl-2.16.0.jar
  • (Additional file for Access Gateway) log4j-web-2.16.0.jar

3. Perform the following steps to place the new log4j 2.16.0 jars in each applicable component:

Policy Server:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

b) Stop Policy Server.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

e) After copying the jars in the jars folder as described in the previous step, rename the jars to remove the log4j version from the filenames.

Example:

  • log4j-api.jar
  • log4j-core.jar
  • log4j-slf4j-impl.jar

f) Open the JVMOptions.txt file at <siteminder_installation_home>/config, update all the references of the existing log4j versions with the 2.16.0 version in the -Djava.class.path parameter, and save the changes.

g) Navigate to <siteminder_installation_home>/bin, and update all the references of the existing log4j versions in the following tools:

    • smkeytool.bat/smkeytool.sh
    • smfedexport.bat/smfedexport.sh
    • smfedimport.bat/smfedimport.sh

h) Start Policy Server.

 

Administrative UI:

a) Take a backup of the existing log4j files in your environment from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:

        1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
        2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:

          1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
          2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library

From Release 12.8 through 12.8.03, only one log4j version exists in the library folder. However, from Release 12.8.04 or later, two versions of the log4j files exist in this folder; take a backup of both the versions.  Release 12.8 through 12.8.2 have a log4j.jar file in the <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library folder.  This file is version 1.x and not subject to the vulnerability.  Leave this log4j.jar file in place.

  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main
  • (Only for Release 12.8.04 or later) Take a backup of the module.xml files that are located at <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main and <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main respectively.
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib\log4j-api-<existing_version>.jar.

b) Stop Administrative UI.

c) Delete the existing log4j files from the above-mentioned locations.

(Additional step on Release 12.8 through 12.8.03) Delete the org.apache.logging.log4j-log4j-api-<existing_version>.jar and org.apache.logging.log4j-log4j-core-<existing_version>.jar files from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

d) Place the new jars in the following locations:

  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib. Then, duplicate the log4j-api-2.16.0.jar and log4j-core-2.16.0.jar files with the following names and place them in the same folder:

    • log4j-log4j-api-2.16.0.jar
    • log4j-log4j-core-2.16.0.jar

 At the end of this step, the lib folder must contain the following files:

    • log4j-api-2.16.0.jar
    • log4j-core-2.16.0.jar
    • log4j-log4j-api-2.16.0.jar
    • log4j-log4j-core-2.16.0.jar
    • log4j-slf4j-impl-2.16.0.jar
  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy the log4j-slf4j-impl-2.16.0.jar file in  <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib. Then, copy the log4j-api-2.16.0.jar and log4j-core-2.16.0.jar files with the following names in the same folder:

    • log4j-log4j-api-2.16.0.jar
    • log4j-log4j-core-2.16.0.jar 

         At the end of this step, the lib folder must contain the following files:

    • log4j-log4j-api-2.16.0.jar
    • log4j-log4j-core-2.16.0.jar
    • log4j-slf4j-impl-2.16.0.jar
  • Copy only log4j-api-2.16.0.jar and log4j-core-2.16.0.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.16.0.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-core-2.16.0.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.16.0.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib.

e) (Only for Release 12.8.04 or later) In the module.xml file that is present in the following locations, update the log4j version to 2.16.0 and save the changes:

  • <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main

f) Start Administrative UI.

 

Access Gateway:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <accessgateway_installation_path>\Tomcat\thirdparty
  • <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib

b) Stop Access Gateway.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • Copy all the files except log4j-web-2.16.0.jar in <accessgateway_installation_path>\Tomcat\thirdparty.
  • (Release 12.8.04 or later) Copy all the files in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all the files except log4j-web-2.16.0.jar in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

  • Copy only log4j-web-2.16.0.jar in <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib.
  • Copy only log4j-web-2.16.0.jar in <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib.
  • Copy only log4j-web-2.16.0.jar in <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib.

e) Start Access Gateway.

 

SDK

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <sdk_installation_path>\java

b) Delete the existing log4j files from the above-mentioned location.

c) Place the new jars in the following location:

  • <sdk_installation_path>\java

d) Update all the references of the existing 2.x log4j version with the 2.16.0 version in the class path parameter of all the custom applications that are built using SDK, and save the changes.

e) Restart the custom applications.

 

ASA Agents

SiteMinder Agent for Oracle WebLogic Server 12.7 and 12.8

a) Stop WebLogic application server.

b) Navigate to <wl_installation_path>/wlserver/server/lib and take a backup of the existing log4j jars:

    • log4j-core-<existing_version>.jar
    • log4j-api-<existing_version>.jar

c) Navigate to the bin folder for the domain created in WebLogic application server.

d) Take a backup of the startWebLogic.cmd/startWebLogic.sh file.

e) Open the existing startWebLogic.cmd/startWebLogic.sh file, and update the existing log4j version to the 2.16.0 version in the following values of the SMASA_CLASSPATH

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

Example:

log4j-api-2.16.0.jar and log4j-core-2.16.0.jar

f) Save the changes.

g) Start WebLogic application server.

 

SiteMinder Agent for IBM WebSphere 12.8

IBM WebSphere for Liberty

a) Stop WebSphere application server.

b) Navigate to <wlp_installation_path>/usr/servers/lib/global.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.16.0.jar
    • log4j-core-2.16.0.jar

Example:

log4j-api-2.16.0.jar and log4j-core-2.16.0.jar 

e) Start WebSphere application server.

 

IBM WebSphere

a) Stop WebSphere application server.

b) Navigate to <websphere_home>/lib/ext.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.16.0.jar
    • log4j-core-2.16.0.jar

Example:

log4j-api-2.16.0.jar and log4j-core-2.16.0.jar 

e) Start WebSphere application server.

 

Impact of CVE-2021-45105 on SiteMinder

Per CVE-2021-45105, Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

SiteMinder does not accept any external data with respect to Context Lookups. Also, SiteMinder does not use Thread Context Map (MDC) patterns with input data, which is the cause of CVE-2021-45105 that crafts malicious input data using a JNDI Lookup pattern. In addition, SiteMinder does not allow any recursive lookups as well. As a result, CVE-2021-45105 does not impact SiteMinder.

However, if you would still like to proceed to use Log4j 2.17.0, we have tested use of that version as well and offer the following steps to upgrade the existing Log4j version in your environment to Log4j 2.17.0.

Upgrade the existing log4j version in your environment to log4j 2.17.0

1. Download the log4j 2.17.0 jar files from the following Apache repository links:

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar 

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar 

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.0/log4j-slf4j-impl-2.17.0.jar 

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-web/2.17.0/log4j-web-2.17.0.jar

2. Copy the following jars onto the Policy Server, Administrative UI, Access Gateway, and SDK machines:

  • log4j-api-2.17.0.jar
  • log4j-core-2.17.0.jar
  • log4j-slf4j-impl-2.17.0.jar
  • (Additional file for Access Gateway) log4j-web-2.17.0.jar

3. Perform the following steps to place the new log4j 2.17.0 jars in each applicable component:

Policy Server:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

b) Stop Policy Server.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

e) After copying the jars in the jars folder as described in the previous step, rename the jars to remove the log4j version from the filenames.

Example:

  • log4j-api.jar
  • log4j-core.jar
  • log4j-slf4j-impl.jar

f) Open the JVMOptions.txt file at <siteminder_installation_home>/config, update all the references of the existing log4j versions with the 2.17.0 version in the -Djava.class.path parameter, and save the changes.

g) Navigate to <siteminder_installation_home>/bin, and update all the references of the existing log4j versions in the following tools:

    • smkeytool.bat/smkeytool.sh
    • smfedexport.bat/smfedexport.sh
    • smfedimport.bat/smfedimport.sh

h) Start Policy Server.

 

Administrative UI:

a) Take a backup of the existing log4j files in your environment from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:

        1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
        2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:

          1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
          2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library

From Release 12.8 through 12.8.03, only one log4j version exists in the library folder. However, from Release 12.8.04 or later, two versions of the log4j files exist in this folder; take a backup of both the versions.  Release 12.8 through 12.8.2 have a log4j.jar file in the <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library folder.  This file is version 1.x and not subject to the vulnerability.  Leave this log4j.jar file in place.

  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main
  • (Only for Release 12.8.04 or later) Take a backup of the module.xml files that are located at <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main and <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main respectively.
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib\log4j-api-<existing_version>.jar.

b) Stop Administrative UI.

c) Delete the existing log4j files from the above-mentioned locations.

(Additional step on Release 12.8 through 12.8.03) Delete the org.apache.logging.log4j-log4j-api-<existing_version>.jar and org.apache.logging.log4j-log4j-core-<existing_version>.jar files from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

d) Place the new jars in the following locations:

  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib. Then, duplicate the log4j-api-2.17.0.jar and log4j-core-2.17.0.jar files with the following names and place them in the same folder:

    • log4j-log4j-api-2.17.0.jar
    • log4j-log4j-core-2.17.0.jar

 At the end of this step, the lib folder must contain the following files:

    • log4j-api-2.17.0.jar
    • log4j-core-2.17.0.jar
    • log4j-log4j-api-2.17.0.jar
    • log4j-log4j-core-2.17.0.jar
    • log4j-slf4j-impl-2.17.0.jar
  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy the log4j-slf4j-impl-2.17.0.jar file in  <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib. Then, copy the log4j-api-2.17.0.jar and log4j-core-2.17.0.jar files with the following names in the same folder:

    • log4j-log4j-api-2.17.0.jar
    • log4j-log4j-core-2.17.0.jar

         At the end of this step, the lib folder must contain the following files:

    • log4j-log4j-api-2.17.0.jar
    • log4j-log4j-core-2.17.0.jar
    • log4j-slf4j-impl-2.17.0.jar
  • Copy only log4j-api-2.17.0.jar and log4j-core-2.17.0.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.17.0.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-core-2.17.0.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.17.0.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib.

e) (Only for Release 12.8.04 or later) In the module.xml file that is present in the following locations, update the log4j version to 2.17.0 and save the changes:

  • <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main

f) Start Administrative UI.

 

Access Gateway:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <accessgateway_installation_path>\Tomcat\thirdparty
  • <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib

b) Stop Access Gateway.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • Copy all the files except log4j-web-2.17.0.jar in <accessgateway_installation_path>\Tomcat\thirdparty.
  • (Release 12.8.04 or later) Copy all the files in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all the files except log4j-web-2.17.0.jar in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

  • Copy only log4j-web-2.17.0.jar in <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib.
  • Copy only log4j-web-2.17.0.jar in <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib.
  • Copy only log4j-web-2.17.0.jar in <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib.

e) Start Access Gateway.

 

SDK

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <sdk_installation_path>\java

b) Delete the existing log4j files from the above-mentioned location.

c) Place the new jars in the following location:

  • <sdk_installation_path>\java

d) Update all the references of the existing 2.x log4j version with the 2.17.0 version in the class path parameter of all the custom applications that are built using SDK, and save the changes.

e) Restart the custom applications.

 

ASA Agents

SiteMinder Agent for Oracle WebLogic Server 12.7 and 12.8

a) Stop WebLogic application server.

b) Navigate to <wl_installation_path>/wlserver/server/lib and take a backup of the existing log4j jars:

    • log4j-core-<existing_version>.jar
    • log4j-api-<existing_version>.jar

c) Navigate to the bin folder for the domain created in WebLogic application server.

d) Take a backup of the startWebLogic.cmd/startWebLogic.sh file.

e) Open the existing startWebLogic.cmd/startWebLogic.sh file, and update the existing log4j version to the 2.17.0 version in the following values of the SMASA_CLASSPATH

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

Example:

log4j-api-2.17.0.jar and log4j-core-2.17.0.jar

f) Save the changes.

g) Start WebLogic application server.

 

SiteMinder Agent for IBM WebSphere 12.8

IBM WebSphere for Liberty

a) Stop WebSphere application server.

b) Navigate to <wlp_installation_path>/usr/servers/lib/global.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.17.0.jar
    • log4j-core-2.17.0.jar

Example:

log4j-api-2.17.0.jar and log4j-core-2.17.0.jar 

e) Start WebSphere application server.

 

IBM WebSphere

a) Stop WebSphere application server.

b) Navigate to <websphere_home>/lib/ext.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.17.0.jar
    • log4j-core-2.17.0.jar

Example:

log4j-api-2.17.0.jar and log4j-core-2.17.0.jar 

e) Start WebSphere application server.

 

Impact of CVE-2021-44832 on SiteMinder 

Per CVE-2021-44832, Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

In addition, SiteMinder does not use JDBC Appender with a data source referencing a JNDI URL. As a result, CVE-2021-44832 does not impact SiteMinder. 

However, if you would still like to proceed to use Log4j 2.17.1, we have tested use of that version as well and offer the following steps to upgrade the existing Log4j version in your environment to Log4j 2.17.1.

Upgrade the existing log4j version in your environment to log4j 2.17.1

  1. Download the log4j 2.17.1 jar files from the following Apache repository links:

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-web/2.17.1/log4j-web-2.17.1.jar

 

  1. Copy the following jars onto the Policy Server, Administrative UI, Access Gateway, and SDK machines:
  • log4j-api-2.17.1.jar
  • log4j-core-2.17.1.jar
  • log4j-slf4j-impl-2.17.1.jar
  • (Additional file for Access Gateway) log4j-web-2.17.1.jar
  1. Perform the following steps to place the new log4j 2.17.1 jars in each applicable component:

Policy Server:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

b) Stop Policy Server.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • <siteminder_installation_path>\bin\thirdparty
  • <siteminder_installation_path>\bin\jars

e) After copying the jars in the jars folder as described in the previous step, rename the jars to remove the log4j version from the filenames.

Example:

  • log4j-api.jar
  • log4j-core.jar
  • log4j-slf4j-impl.jar

f) Open the JVMOptions.txt file at <siteminder_installation_home>/config, update all the references of the existing log4j versions with the 2.17.1 version in the -Djava.class.path parameter, and save the changes.

g) Navigate to <siteminder_installation_home>/bin, and update all the references of the existing log4j versions in the following tools:

    • smkeytool.bat/smkeytool.sh
    • smfedexport.bat/smfedexport.sh
    • smfedimport.bat/smfedimport.sh

h) Start Policy Server.

 

Administrative UI:

a) Take a backup of the existing log4j files in your environment from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:  

        1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
        2. org.apache.logging.log4j-log4j-core-<existing_version>.jar
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

(Additional step on Release 12.8 through 12.8.03) Take a backup of the following files too:   

          1. org.apache.logging.log4j-log4j-api-<existing_version>.jar
          2. org.apache.logging.log4j-log4j-core-<existing_version>.jar

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library

From Release 12.8 through 12.8.03, only one log4j version exists in the library folder. However, from Release 12.8.04 or later, two versions of the log4j files exist in this folder; take a backup of both the versions.  Release 12.8 through 12.8.2 have a log4j.jar file in the <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library folder.  This file is version 1.x and not subject to the vulnerability.  Leave this log4j.jar file in place.

  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main
  • (Only for Release 12.8.04 or later) Take a backup of the module.xml files that are located at <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main and <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main respectively.
  • (Only for Release 12.8.04 or later) <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib\log4j-api-<existing_version>.jar.

b) Stop Administrative UI.

c) Delete the existing log4j files from the above-mentioned locations.

(Additional step on Release 12.8 through 12.8.03) Delete the org.apache.logging.log4j-log4j-api-<existing_version>.jar and org.apache.logging.log4j-log4j-core-<existing_version>.jar files from the following locations:

    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib
    • <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib

d) Place the new jars in the following locations:

  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib. Then, duplicate the log4j-api-2.17.1.jar and log4j-core-2.17.1.jar files with the following names and place them in the same folder:

    • log4j-log4j-api-2.17.1.jar
    • log4j-log4j-core-2.17.1.jar

 At the end of this step, the lib folder must contain the following files:

    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar
    • log4j-log4j-api-2.17.1.jar
    • log4j-log4j-core-2.17.1.jar
    • log4j-slf4j-impl-2.17.1.jar
  • (Release 12.8.04 or later) Copy all three jars in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy the log4j-slf4j-impl-2.17.1.jar file in  <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib. Then, copy the log4j-api-2.17.1.jar and log4j-core-2.17.1.jar files with the following names in the same folder:

    • log4j-log4j-api-2.17.1.jar
    • log4j-log4j-core-2.17.1.jar 

         At the end of this step, the lib folder must contain the following files:

    • log4j-log4j-api-2.17.1.jar
    • log4j-log4j-core-2.17.1.jar
    • log4j-slf4j-impl-2.17.1.jar
  • Copy only log4j-api-2.17.1.jar and log4j-core-2.17.1.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\library.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.17.1.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-core-2.17.1.jar in <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main.
  • (Only for Release 12.8.04 or later) Copy only log4j-api-2.17.1.jar in <adminui_installation_path>\standalone\deployments\iam_siteminder.ear\management_console.war\WEB-INF\lib. 

e) (Only for Release 12.8.04 or later) In the module.xml file that is present in the following locations, update the log4j version to 2.17.1 and save the changes:

  • <adminui_installation_path>\modules\com\ca\iam\log4j2\api\main
  • <adminui_installation_path>\modules\com\ca\iam\log4j2\core\main

f) Start Administrative UI.

 

Access Gateway:

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <accessgateway_installation_path>\Tomcat\thirdparty
  • <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib
  • <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib

b) Stop Access Gateway.

c) Delete the existing log4j files from the above-mentioned locations.

d) Place the new jars in the following locations:

  • Copy all the files except log4j-web-2.17.1.jar in <accessgateway_installation_path>\Tomcat\thirdparty.
  • (Release 12.8.04 or later) Copy all the files in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

         (Release 12.8 through 12.8.03) Copy all the files except log4j-web-2.17.1.jar in <accessgateway_installation_path>\Tomcat\webapps\CA_AuthAZ\WEB-INF\lib.

  • Copy only log4j-web-2.17.1.jar in <accessgateway_installation_path>\Tomcat\webapps\chs\WEB-INF\lib.
  • Copy only log4j-web-2.17.1.jar in <accessgateway_installation_path>\Tomcat\webapps\sessionassuranceapp\WEB-INF\lib.
  • Copy only log4j-web-2.17.1.jar in <accessgateway_installation_path>\Tomcat\webapps\proxyui\WEB-INF\lib.

e) Start Access Gateway.

 

SDK

a) Take a backup of the existing log4j files in your environment from the following locations:

  • <sdk_installation_path>\java

b) Delete the existing log4j files from the above-mentioned location.

c) Place the new jars in the following location:

  • <sdk_installation_path>\java

d) Update all the references of the existing 2.x log4j version with the 2.17.1 version in the class path parameter of all the custom applications that are built using SDK, and save the changes.

e) Restart the custom applications.

 

ASA Agents

SiteMinder Agent for Oracle WebLogic Server 12.7 and 12.8

a) Stop WebLogic application server.

b) Navigate to <wl_installation_path>/wlserver/server/lib and take a backup of the existing log4j jars:

    • log4j-core-<existing_version>.jar
    • log4j-api-<existing_version>.jar

c) Navigate to the bin folder for the domain created in WebLogic application server.

d) Take a backup of the startWebLogic.cmd/startWebLogic.sh file.

e) Open the existing startWebLogic.cmd/startWebLogic.sh file, and update the existing log4j version to the 2.17.1 version in the following values of the SMASA_CLASSPATH

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

Example:

log4j-api-2.17.1.jar and log4j-core-2.17.1.jar

f) Save the changes.

g) Start WebLogic application server.

 

SiteMinder Agent for IBM WebSphere 12.8

IBM WebSphere for Liberty

a) Stop WebSphere application server.

b) Navigate to <wlp_installation_path>/usr/servers/lib/global.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar

Example:

log4j-api-2.17.1.jar and log4j-core-2.17.1.jar 

e) Start WebSphere application server.

 

IBM WebSphere

a) Stop WebSphere application server.

b) Navigate to <websphere_home>/lib/ext.

c) Take a backup of the following log4j files and then delete the original files:

    • log4j-api-<existing_version>.jar
    • log4j-core-<existing_version>.jar

d) Place the following new log4j files in this location:

    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar

Example:

log4j-api-2.17.1.jar and log4j-core-2.17.1.jar 

e) Start WebSphere application server.

 

Additional Information

If you have any questions or require assistance, please contact Customer Support at +1-800-225-5224 in North America or see https://support.broadcom.com/contact-support.html for the local number in your country.