Log4j v1 Vulnerabilities
Article ID: 236308
Updated On:
Products
Issue/Introduction
The following log4j v1 vulnerabilities have been brought to our attention:
- CVE-2019-17571
- CVE-2021-4104
- CVE-2022-23302
- CVE-2022-23305
- CVE-2022-23307
Please advise if Nolio is impacted by these vulnerabilities.
Environment
Release : 6.7
Component : CA RELEASE AUTOMATION CORE
Resolution
We have included the results of our analysis below.
Please note:
Beside default configuration you may have some custom configuration in log4j referencing vulnerable appender classes. Henceforth, we recommend to check the log4j.properties files to ascertain it's not using any vulnerable log appender classes. Refer "Additional Information" for details on how to detect whether or not vulnerable appender's are used in your log4j.properties files.
Scan Analysis Report
| Vulnerability | Component | Analysis | Remediation |
| CVE-2019-17571 - SocketServer | NAC | SocketServer is not used with default log4j config | Not Applicable(NA) |
| NES | SocketServer is not used with default log4j config | Not Applicable(NA) | |
| Agent | SocketServer is not used with default log4j config | Not Applicable(NA) | |
| CVE-2022-23302 - JMSSink vulnerability | NAC | JMSSink is not used | Not Applicable(NA) |
| NES | JMSSink is not used | Not Applicable(NA) | |
| Agent | JMSSink is not used | Not Applicable(NA) | |
| CVE-2021-4104 - JMSAppender vulnerability | NAC | JMSAppender is not used with default log4j config | Not Applicable(NA) |
| NES | JMSAppender is not used with default log4j config | Not Applicable(NA) | |
| Agent | JMSAppender is not used with default log4j config | Not Applicable(NA) | |
| CVE-2022-23305 - JDBCAppender vulnerability | NAC | JDBCAppender is not used with default log4j config | Not Applicable(NA) |
| NES | JDBCAppender is not used with default log4j config | Not Applicable(NA) | |
| Agent | JDBCAppender is not used with default log4j config | Not Applicable(NA) | |
| CVE-2022-23307 - Chainsaw component vulnerability | NAC | Chainsaw is not used | Not Applicable(NA) |
| NES | Chainsaw is not used | Not Applicable(NA) | |
| Agent | Chainsaw is not used | Not Applicable(NA) |
Additional Information
For more information on how to search Nolio's log4j configuration files, please see the following KB article: Scanning Vulnerable appender/classes in log4j.properties
Feedback
