Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

CA Release Automation(CARA)/Nolio: All supported versions

Components: All Components (Management Server, Execution Server and Agents)

CA Release Automation(CARA), a.k.a. Nolio (all supported versions) is not affected by this vulnerability (CVE-2021-44228) as the Log4j version used in Nolio (Log4j 1.2.16) is outside the affected range (Log4j 2.0 - 2.14.1).

CA Release Automation will be providing updated log4j 2.x libraries in the CARA version 6.8 tentative release timelines will be end of Year 2022.

• The log4j 2.* have changes in the jar in terms of classes name etc. and hence RA need to adapt to those changes so a jar replacement is not an option.

For additional information related to Log4j v1 vulnerabilities please see the following KB Article: Log4j v1 Vulnerabilities

For more information on how to search Nolio's log4j configuration files, please see the following KB article: Scanning Vulnerable appender/classes in log4j.properties