Symantec Security Advisory for Log4j 2 Vulnerability for VIP Auth Hub
search cancel

Symantec Security Advisory for Log4j 2 Vulnerability for VIP Auth Hub

book

Article ID: 230768

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Symantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system.

Is VIP Authentication Hub product vulnerable to this?

Environment

Release : 1.0

Component : VIP Authentication Hub

Resolution

VIP AuthHub does not have an impact but Hazlecast image is vulnerable in AuthHub solution.

Apache has advised that the environment variable change is insufficient to all vulnerabilities so the article is updated to remove that information. We believe that the firewall and egress controls that are usually in place for the AuthHub deployment offers some protection for external JNDI access.

For the purposes of log4j vulnerability mitigation, the AuthHub solution has been upgraded to use log4j version 2.17, and this new 2021.Nov.03 release is now available.

CVE-2021-45046 : We have investigate this CVE as well and found no direct access to the vulnerability with how we are using log4j in the product.

CVE-2021-44832 : We have investigate this CVE as well and found no direct access to the vulnerability with how we are using log4j in the product. Auth Hub product is not vulnerable to this CVE.

 

Additional Information

Below is the link to our documentation that outlines steps to upgrade to the most recent build:

Upgrading VIP Authentication Hub