CVE-2021-44832, Identity Management and JDBCAppender
Article ID: 231343
Updated On: 03-14-2025
Products
CA Identity Service
CA Identity Manager
Issue/Introduction
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Is Identity Suite affected?
Environment
14.1, 14.2, 14.3, 14.4, 14.4.1
Standalone and Virtual Appliance
Cause
This CVE falls into the category as the previously reported JMSAppender. Only vulnerable when that appender is configured (CVE-2021-44228).
Resolution
IGA suite and components do not configure this JDBCAppender. We also don’t provide any programmatic control over these log4j appender configurations. It all has to be done via accessing the property file on the given server. IGA and and its components are not vulnerable to CVE-2021-44832.
Additional Information
Feedback
Was this article helpful?
Yes
No
Powered by
