Symantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system.

Is VIP Authentication Hub product vulnerable to CVEs (Common Vulnerabilities and Exposures) such as  CVE-2021-45046 and CVE-2021-44832?

Broadcom's VIP Authentication Hub solution is not impacted by the identified CVEs but the Hazelcast image used by VIP Authentication Hub solution was flagged. However, please note that Apache Software Foundation has advised that the environment variable changes is insufficient to exploit the discussed vulnerabilities, hence this article has been updated to remove any information that suggested VIP Authentication Hub solution as vulnerable. Broadcom concludes that the firewall and egress controls that are usually in place for the VIP Authentication Hub  deployment offers some protection for external JNDI access.

For the purposes of log4j vulnerability mitigation, the VIP Authentication Hub solution has been upgraded to use log4j version 2.17 binaries that are not vulnerable. Broadcom's new release dated 2021.Nov.03 with these upgraded log4J versions is available. 

These two CVEs listed below were investigated by Broadcom Engineering and results were as follows: 

     1. CVE-2021-45046 : VIP Authentication Hub product is not vulnerable to this CVE essentially due to how Broadcom uses Log4J binaries in its solution..

     2. CVE-2021-44832 : VIP Authentication Hub product is not vulnerable to this CVE essentially due to how Broadcom uses Log4J binaries in its solution..

Below is the link to our documentation that outlines steps to upgrade to the most recent build:

Upgrading VIP Authentication Hub