Previously, to remediate the Log4J vulnerability (aka Log4Shell), Broadcom Advanced Authentication provided a fix to create new WAR files to be deployed by Customers. These WAR files included remediated Log4J version 2.17.0. As NIST/Apache discovers shortcomings in its currently recommended Log4J versions it provides remediated newer Log4J versions to upgrade to. Hence, Broadcom AA is providing a procedure for customers to upgrade without a need to deliver a fix. This would expedite remediation.
This KB document provides steps to customers to replace the vulnerable log4j 2.17.0 (or any Log4J version that was later found vulnerable) with the latest recommended version by NIST/Apache. Any time Broadcom comes to know of a newer recommended from NIST/Apache it will inform AA customers via an advisory to upgrade using this KB document.
Release : 9.1 and above
Component :AuthMinder(Arcot WebFort)
RiskMinder(Arcot RiskFort)
Apache/NIST are continually recommending an upgrade to a newer remediated Log4J version. A quicker remediation steps needs to be provided to customers.
Pre-Requisite - Please download the latest log4j 2.x version (2.17.1 is the latest currently) from the maven repository.
For example: version 2.17.0 JAR files to replaced are as follows:
- log4j-1.2-api-2.17.0.jar
- log4j-api-2.17.0.jar
- log4j-core-2.17.0.jar
Steps to replace log4j 2.17.0 (or latest version)
Step #1 - Login to the AA installed machine.
Step #2 - Stop the application server where all AA components are deployed like Admin, UDS, Sample Applications, restAPI, UBP and AFM.
Step #3 - Take the backup of the OOTB (Out Of The Box) WAR files as listed below in related directories:
a) Navigate to %ARCOT_HOME%/java/webapps
- arcotadmin.war
- aa-restapi.war
- arcotuds.war
- ca-userprofiling-application.war
b) Navigate to %ARCOT_HOME%/samples/java/
- ca-riskauth-sample-application.war
- ca-strongauth-sample-application.war
- ca-riskauth-sample-callouts.war
c) Navigate to %AFM_HOME%/sampleApplications/
- bankapp.war
- customapp.war
- insuranceapp.war
- samlsampleapp.war
Step #4 - Extract the required WAR files that you are using and replace existing vulnerable Log4j JAR files with the latest remediated JAR versions like 2.17.1 or latest recommended version under WEB-INF\lib
For this specific example say 9.1.02 (SP2) has the following Log4j (version 2.11) related JAR files under the WEB_INF\lib directory
- log4j-1.2-api-2.11.2.jar
- log4j-api-2.11.2.jar
- log4j-core-2.11.2.jar
Remove the version 2.11.2 related files listed above and replace them with 2.17.1 or latest version (in this specific case assuming version 2.17.1 is the latest version for CVE-2021-4482)
- log4j-1.2-api-2.17.1.jar
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
Step #5 - Prepare the war and redeploy in respective app server
Step #6 - Repeat the same for all the AA java based applications, which are applicable for you.
Step #7 -Start the application server.
Sample Commands in Linux (For arcotadin.war), The below steps are applicable for all the war files.
$ mkdir admin_upgrade
$ mv arcotadmin.war admin_upgrade/
$ mv arcotadmin.war arcotadmin.zip
$ unzip arcotadmin.zip
$ rm -f arcotadmin.zip
$ rm -f WEB_INF/lib/log4j-*
$ cp $ARCOT_HOME/new_log4j/log4j* WEB_INF/lib/
$ zip -r arcotadmin.zip *
$ mv arcotadmin.zip arcotadmin.war