search cancel

ITMS/GSS. About Zero-Day exploit: high severity vulnerability (CVE-2021-44228, CVE-2021-45105) impacting multiple versions of the Apache Log4j 2 utility

book

Article ID: 230281

calendar_today

Updated On:

Products

IT Management Suite Ghost Solution Suite ServiceDesk Client Management Suite Server Management Suite

Issue/Introduction

A high severity vulnerability impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.

This Critical vulnerability in Apache Log4j was discovered that requires immediate attention, CVE-2021-44228, nicknamed ‘Log4Shell’.  This vulnerability was discovered in Apache Log4j 2.x versions earlier than 2.15.0.  

The vulnerability could allow unauthenticated remote code execution resulting in an attacker gaining full control of an exploited server.  Apache Log4j is used by many open-source projects and commercial off-the-shelf software packages, and is potentially used within internally developed applications as well. There are widespread public scans by malicious actors actively targeting and attempting to exploit this vulnerability. 

Note: 
Also applies to CVE-2021-45105

Environment

ITMS 8.5, 8.6
GSS 3.3 RU8, RU9

Note:
No validation was done against any version prior to ITMS 8.5 (or GSS 3.3) since those versions are EOL at this point:

ITMS End-of-Life (EOL) Schedule: KB 173849
GSS End-of-Life (EOL) Schedule: KB 195893

Resolution

This issue has been reviewed by our Dev team. Please refer to https://www.broadcom.com/log4j
For ITMS and GSS products division, see: Symantec Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability

Does ITMS/GSS use the Apache log4j library impacted by this issue?

No, log4j library is not used in ITMS and GSS products. EPM products do not use log4j library and not impacted by CVE-2021-44228

 
How about to CVE-2021-45105?
According to https://bsg-confluence.broadcom.net/pages/viewpage.action?pageId=425471946 you'd notice that ITMS, GSS and ServiceDesk do not use log4j library and hence CVE-2021-45105 is N/A (Not Applicable)
 

Additional Information

Internet Gateway after ITMS 8.5 release its dependency on Apache and OpenSSL has been removed.

https://knowledge.broadcom.com/external/article/185012/what-has-changed-in-internet-gateway-85.html

 

Note:
Regarding CVE-2021-42550:
https://nvd.nist.gov/vuln/detail/CVE-2021-42550 is with regards to logback library. There is also no impact on EPM products as we do not use that library.