Previously, to remediate the Log4J vulnerability (aka Log4Shell), Broadcom Advanced Authentication provided a fix to create new WAR files to be deployed by Customers. These WAR files included remediated Log4J version 2.17.0. As NIST/Apache discovers shortcomings in its currently recommended Log4J versions it provides remediated newer Log4J versions to upgrade to. Hence, Broadcom AA is providing a procedure for customers to upgrade without a need to deliver a fix. This would expedite remediation.

This KB document provides steps to customers to replace the vulnerable log4j 2.17.0 (or any Log4J version that was later found vulnerable) with the latest recommended version by NIST/Apache. Any time Broadcom comes to know of a newer recommended  from NIST/Apache it will inform AA customers via an advisory to upgrade using this KB document. 

Release : 9.1 and above

Component :AuthMinder(Arcot WebFort)

RiskMinder(Arcot RiskFort)

Apache/NIST are continually  recommending  an upgrade to a newer remediated Log4J version. A quicker remediation steps needs to be provided to customers.

Pre-Requisite - Please download the latest log4j 2.x version (2.17.1 is the latest currently) from the maven repository.

For example: version 2.17.0 JAR files to replaced are as follows:

           - log4j-1.2-api-2.17.0.jar

           - log4j-api-2.17.0.jar

           - log4j-core-2.17.0.jar

Steps to replace log4j 2.17.0 (or latest version) 

Step #1 - Login to the AA installed machine.

Step #2 - Stop the application server where all AA components are deployed like Admin, UDS, Sample Applications, restAPI, UBP and AFM.

Step #3 - Take the backup of the OOTB (Out Of The Box) WAR files as listed below in related directories:

       a) Navigate to %ARCOT_HOME%/java/webapps

           - arcotadmin.war

           - aa-restapi.war

           - arcotuds.war

           - ca-userprofiling-application.war

       b) Navigate to %ARCOT_HOME%/samples/java/

             - ca-riskauth-sample-application.war

             - ca-strongauth-sample-application.war

             - ca-riskauth-sample-callouts.war

        c) Navigate to %AFM_HOME%/sampleApplications/

              - bankapp.war

              - customapp.war

              - insuranceapp.war

              - samlsampleapp.war

Step #4 - Extract the required WAR files that you are using and replace existing vulnerable Log4j JAR files with the latest remediated JAR versions like 2.17.1 or latest recommended version under WEB-INF\lib

For this specific example say 9.1.02 (SP2) has the following Log4j  (version 2.11) related JAR files under the WEB_INF\lib directory

           - log4j-1.2-api-2.11.2.jar

           - log4j-api-2.11.2.jar

           - log4j-core-2.11.2.jar

Remove the version 2.11.2 related files listed above and replace them with 2.17.1 or latest version (in this specific case assuming version 2.17.1 is the latest version for CVE-2021-4482)

           - log4j-1.2-api-2.17.1.jar

            - log4j-api-2.17.1.jar

            - log4j-core-2.17.1.jar

Step #5 - Prepare the war and redeploy in respective app server

Step #6 - Repeat the same for all the AA java based applications, which are applicable for you.

Step #7 -Start the application server.

Sample Commands in Linux (For arcotadin.war), The below steps are applicable for all the war files.

• Create a new folder and copy arcotadmin.war in that folder

$ mkdir admin_upgrade

$ mv arcotadmin.war admin_upgrade/

• Change directory to admin_uprade/ and rename the war file to zip and unzip the contents

$ mv arcotadmin.war arcotadmin.zip

$ unzip arcotadmin.zip

• Remove the original zip file, and the old log4j files in WEB_INF/lib

$ rm -f arcotadmin.zip

$ rm -f WEB_INF/lib/log4j-*

• Copy the new log4j jars (log4j-1.2-api-2.17.0.jar, log4j-api-2.17.0.jar, log4j-core-2.17.0.jar) into WEB_INF/lib folder

$ cp $ARCOT_HOME/new_log4j/log4j* WEB_INF/lib/

• Zip the contents to arcotadmin.zip and rename to arcotadmin.war 

$ zip -r arcotadmin.zip *

$ mv arcotadmin.zip arcotadmin.war