A high-severity vulnerability impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.
This Critical vulnerability in Apache Log4j was discovered that requires immediate attention, CVE-2021-44228, nicknamed ‘Log4Shell’. This vulnerability was discovered in Apache Log4j 2.x versions earlier than 2.15.0.
The vulnerability could allow unauthenticated remote code execution resulting in an attacker gaining full control of an exploited server. Apache Log4j is used by many open-source projects and commercial off-the-shelf software packages and is potentially used within internally developed applications as well. There are widespread public scans by malicious actors actively targeting and attempting to exploit this vulnerability.
Note:
This also applies to CVE-2021-45105
This issue has been reviewed by our Dev team. Please refer to https://www.broadcom.com/log4j
For ITMS and GSS products division, see: Symantec Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability
Does ITMS/GSS use the Apache log4j library impacted by this issue?
No, log4j library is not used in ITMS and GSS products. EPM products do not use log4j library and are not impacted by CVE-2021-44228
Internet Gateway after ITMS 8.5 release its dependency on Apache and OpenSSL has been removed.
https://knowledge.broadcom.com/external/article/185012/what-has-changed-in-internet-gateway-85.html
Note:
Regarding CVE-2021-42550:
https://nvd.nist.gov/vuln/detail/CVE-2021-42550 is with regards to logback library. There is also no impact on EPM products as we do not use that library.