CVE-2021-44832
search cancel

CVE-2021-44832

book

Article ID: 231343

calendar_today

Updated On:

Products

CA Identity Service CA Identity Manager

Issue/Introduction

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

https://nvd.nist.gov/vuln/detail/CVE-2021-44832

Is Identity Suite affected?

Environment

14.1, 14.2, 14.3, 14.4, 14.4.1

Standalone and Virtual Appliance

Cause

This CVE falls into the category as the previously reported JMSAppender. Only vulnerable when that appender is configured (CVE-2021-44228). 

Resolution

IGA suite and components do not configure this JDBCAppender.  We also don’t provide any programmatic control over these log4j appender configurations. It all has to be done via accessing the property file on the given server.  IGA and and its components are not vulnerable to CVE-2021-44832.
 

Additional Information

Broadcom Advisory 

https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793

Powered by Wolken Software