Log4j Vulnerability - CVE-2021-44228 and the Identity Suite
Article ID: 230278
Updated On:
Products
Issue/Introduction
Is the Identity Suite vulnerable to CVE-2021-44228?
Critical Vulnerability CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
This exploit would allow malicious code to read from an LDAP directory through log4j JNDI framework.
https://logging.apache.org/log4j/2.x/security.html
It has been determined that the Symantec IGA 14.x products are affected by this vulnerability. The full details of affected versions are defined below.
Environment
Release : 14.2, 14.3, 14.4
Component : Identity Manager, Identity Governance, Identity Portal, Virtual Appliance
|
Release |
Affected Servers |
Component to be patched |
Log4j version in use |
|
14.1 |
Identity Manager |
NimSoft WAR |
2.3 |
|
14.2 |
Identity Manager |
NimSoft WAR |
2.3 |
|
14.3 |
Identity Manager |
NimSoft WAR |
2.3 |
|
14.4 |
Identity Manager |
NimSoft WAR IM Server |
2.3 2.12 |
|
14.4 |
Identity Governance |
IG Server |
2.12 |
|
14.4 |
Identity Portal |
IP Server |
2.12 |
Resolution
Patches for STAND ALONE NON-VAPP based IDM deployments, versions 14.2, 14.3, and 14.4.
Please see the product documentations release notes for the patch and instructions:
For 14.2: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-2/release-notes/Hotfixes.html
For 14.4: IDM: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
Portal: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-4/release-notes/Hotfixes.html
Governance: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/release-notes/Hotfixes.html
Patches for 14.1, 14.2, 14.3, and 14.4 VAPP versions have been released (12/26/2021). They are available in the Release Notes section of the product documentation. See links below:
14.3, 14.2, 14.1
Please note version 14.1 utilizes the 14.2 hotfix. The MD5 Checksum fix is the same for both 14.1 and 14.2 fixes.
Previous Interim Solution to prevent the vulnerability in current IGA products. The directions below were provided before the Fixes above were created. This below is provided now for informational purposes. If you have implemented the below, Please deploy the fix above and revert the workaround changes to their previous state. Thank you.
For the affected releases, Broadcom will provide patches to upgrade the affected servers. The patch will upgrade the two vulnerable log4j 2 versions to log4j version 2.17.1. This is NOT an issue with log4j version 1.x versions.
This is NOT an issue with Provisioning Manager, CA Identity Governance Client Tool R14, and CA IAM Connector Server, Java Connector Server, CA IAM Connector Xpress. these components are not vulnerable.
Tibco Jasper 6.4.3 and 7.1.1 do not use Log4j and are not vulnerable. Jasper versions 7.5.3 and above are vulnerable, please work with Tibco.
In the interim, until these patches are provided (Patches have now been released, see links above), Broadcom recommends that you perform the following actions to prevent the occurrence of the vulnerability of your currently installed IGA 14.x products.
This procedure ensures that your IGA environment is protected from the vulnerability as recommended by the Apache log4j site referenced above. A security scan will report the log4j libraries as vulnerable as this configuration continues to use the existing log4j versions in a secure manner.
The procedure requires access to the IGA Server’s deployment folder and uses a command to remove the vulnerable java class from the log4j-core-2.xx.jar as follows:
- Stop the appropriate IGA server.
- From a windows command or Linux shell:
- Navigate to the appropriate Log4j Deployment Folder as shown in the tables below.
- Create a backup of the appropriate Log4j jar to be updated.
- Execute the following command on the appropriate Log4j jar (this is an example for Linux, if using Windows you need to determine the appropriate command based on the zip utility software used)
> zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Restart the IGA server
Note: For Identity Suite Virtual Appliance deployments, the file system permissions will not allow this procedure. See Table 3 for the procedures appropriate for the Virtual Appliance.
The following tables show the Server, Server deployment folder and log4j jar file to execute this operation on.
Table 1. Windows-based Deployments:
|
Release |
Server |
Application Server |
Log4j Deployment Folder |
Log4j jar |
|
14.1, 14.2, 14.3 |
IM |
jBoss or Wildlfy |
<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
WebLogic |
Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
WebSphere |
WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
|
|
|
|
IG |
JBoss or Wildfly |
Not Applicable |
|
|
|
|
WebSphere |
Not Applicable |
|
|
|
|
|
|
|
|
|
IP |
JBoss or Wildfly |
Not Applicable due to v1.x |
|
|
|
|
WebLogic |
Not Applicable due to v1.x |
|
|
14.4 |
IM |
jBoss or Wildlfy: |
<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
<JBOSS_HOME>standalone\deployments\iam_im.ear\library |
log4j-core-2.12.jar |
|
|
|
WebLogic |
Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\library |
log4j-core-2.12.jar |
|
|
|
WebSphere |
WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
WebSphere-ear\iam_im.ear\iam_im.ear\library |
log4j-core-2.12.jar |
|
|
IG |
jBoss or Wildlfy |
<JBOSS_HOME>\modules\system\layers\base\com\ca\iam\log4j2\core\main |
log4j-core-2.12.0.jar |
|
|
|
WebSphere |
IBM\WebSphere\AppServer\classes |
log4j-core-2.12.0.jar |
|
|
IP |
jBoss or Wildlfy |
<JBOSS_HOME>\modules\com\ca\iam\log4j2\core\main\ |
log4j-core-2.12.0.jar |
|
|
|
WebLogic |
Not Applicable due to v1.x |
|
Table 2 Linux-based Deployments:
|
Release |
Server |
Application Server |
Deployment folder |
Log4j jar |
|
14.1, 14.2, 14.3 |
IM |
jBoss or Wildlfy |
<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
WebLogic |
Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
WebSphere |
WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
|
|
|
|
IG |
JBoss or Wildfly |
Not Applicable |
|
|
|
|
WebSphere |
Not Applicable |
|
|
|
|
|
|
|
|
|
IP |
JBoss or Wildfly |
Not Applicable due to v1.x |
|
|
|
|
WebLogic |
Not Applicable due to v1.x |
|
|
14.4 |
IM |
jBoss or Wildlfy: |
<JBOSS_HOME>standalone\deployments\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
<JBOSS_HOME>standalone\deployments\iam_im.ear\library |
log4j-core-2.12.jar |
|
|
|
WebLogic |
Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\applications\iam_im.ear\library |
log4j-core-2.12.jar |
|
|
|
WebSphere |
WebSphere-ear\iam_im.ear\iam_im.ear\ca-nim-sm.war\WEB-INF\lib |
log4j-core-2.3.jar |
|
|
|
|
WebSphere-ear\iam_im.ear\iam_im.ear\library |
log4j-core-2.12.jar |
|
|
IG |
jBoss or Wildlfy |
<JBOSS_HOME>\modules\system\layers\base\com\ca\iam\log4j2\core\main |
log4j-core-2.12.0.jar |
|
|
|
WebSphere |
IBM\WebSphere\AppServer\classes |
log4j-core-2.12.0.jar |
|
|
IP |
jBoss or Wildlfy |
<JBOSS_HOME>\modules\com\ca\iam\log4j2\core\main\ |
log4j-core-2.12.0.jar |
|
|
|
WebLogic |
Not Applicable due to v1.x |
|
Table 3. vApp Deployments
|
Release |
Server |
Application Server |
Instructions |
Remarks |
|
14.1 14.2 14.3 14.4 |
IM |
JBoss or Wildfly |
1. Log in to the system where you have installed Identity Manager using the Virtual Appliance solution. 2. Navigate to /opt/CA/VirtualAppliance/custom/IdentityManager/jvm-args.conf. 3. In the jvm-args.conf file, add the following configuration: a. Uncomment the following JVM arguments: JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom b. Add -Dlog4j2.formatMsgNoLookups=true to the end of the JVM arguments: JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true 4. Restart Identity Manager.
|
Update your min(Xms) and max(Xmx) heap size values to reflect your existing configuration or as applicable |
|
14.4 |
IG |
JBoss or Wildfly |
1. Log in to the system where you have installed Identity Governance using the Virtual Appliance solution. 2. Navigate to /opt/CA/VirtualAppliance/custom/IdentityGovernance/jvm-args.conf. 3. In the jvm-args.conf file, add the following configuration: a. Uncomment the following JVM arguments: JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom b. Add -Dlog4j2.formatMsgNoLookups=true to the end of the JVM arguments: JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true 4. Restart Identity Governance. |
Update your min(Xms) and max(Xmx) heap size values to reflect your existing configuration or as applicable |
|
14.4 |
IP |
JBoss or Wildfly |
1. Log in to the system where you have installed Identity Portal using the Virtual Appliance solution. 2. Navigate to /opt/CA/VirtualAppliance/custom/IdentityPortal/jvm-args.conf. 3. In the jvm-args.conf file, add the following configuration: a. Uncomment the following JVM arguments: JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom b. Add -Dlog4j2.formatMsgNoLookups=true to the end of the JVM arguments: JAVA_OPTS=-Xms512m -Xmx1512m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom -Dlog4j2.formatMsgNoLookups=true 4. Restart Identity Portal. |
Update your min(Xms) and max(Xmx) heap size values to reflect your existing configuration or as applicable |
This is not an issue for vApp Identity Portal and Identity Governance 14.1, 14.2, and 14.3.
Table 4. Admin Tools IM (Bulk Loader)
|
Release |
Server |
Tools |
Tools Folder |
Log4j jar |
|
14.4 |
IM |
Admin Tools |
CA\Identity Manager\IAM Suite\Identity Manager\tools\lib |
log4j-core-2.12.jar |
|
|
CA\Identity Manager\IAM Suite\Identity Manager\tools\SelectiveExportUtility |
log4j-core-2.12.jar |
||
|
|
CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Support\IMInfo |
log4j-core-2.12.jar |
Additional Information
Please see Broadcom's overall response here:
Broadcom Response to Log4j Vulnerability
Information specific to the Symantec Identity Governance and Administration (IGA) products can be found under the Symantec Security Advisory: SYMSA19793 link.
Note that the Log4j 2.17.1 and 2.3.2 both address the vulnerabilities. The difference is that Log4J 2.17.1 is for Java 8 and not backwards compatible with older Java versions where as the Log4j 2.3.2 is for Java 6 but is forward compatible with later versions of Java.
https://logging.apache.org/log4j/2.x/security.html
Other potentially related CVEs:
CVE-2021-44832
CVE-2021-44832
CVE-2021-4104
CVE-2021-4104 - Is Identity Manager exposed to the JMSAppender Vulnerability?
CVE-2021-44832
CVE-2021-44832 - Is Identity Manager exposed to the JDBCAppender Vulnerability?
CVE-2021-17571
Log4j vulnerability - CVE-2019-17571 - Connector Server - log4j version 1.2.16
CVE-2022-23305
CVE-2022-23307
Identity Manager Security Concerns for Log4J 1.x version: CVE-2022-23305 CVE-2022-23307
CVE-2020-9488
Resolved in hotfix
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
Feedback
