Vulnerability in Log4j 2.52.2 And Older on Siteminder AdminUI
search cancel

Vulnerability in Log4j 2.52.2 And Older on Siteminder AdminUI

book

Article ID: 427332

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

A number of vulnerabilities have been published for Apache Log4J version 2 impacting Log4j2 2.0-beta9 through to 2.25.2

Siteminder bundles Apache Log4J2 in a number of components, including the Siteminder AdminUI

Log4J by Siteminder Version:

r12.8.7:    Log4j 2.17.2
r12.8.8:    Log4j 2.20.0
r12.8.8.1: Log4j 2.20.0
r12.9:       Log4j 2.20.0

Environment

PRODUCT: Siteminder

COMPONENT: AdminUI

VERSION: 12.8.7; 12.8.8; 12.8.81; 12.9

OPERATING SYSTEM: Any

Cause

The following CVE has been published for log4J impacting all versions of Log4J 2.25.2 and older.

 

CVE-2025-68161  "Apache Log4j Core: Missing TLS hostname verification in Socket appender"

IMPACT:  Medium

DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

IMPACTED: Log4J 2.0.1 - 2.25.2

REMDIATED:  Log4J 2.25.3

Resolution

Update Log4J Siteminder AdminUI to Log4J 2.25.3

1) Download Log4J 2.25.3 from this KB

2) Logon to the Siteminder AdminUI host and back-up the following files (Any log4j files 2.25.2 and older)

<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-api-<existing_version>.jar
<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-core-<existing_version>.jar
<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-slf4j-impl-<existing_version>.jar
OR
<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-slf4j2-impl-<existing_version>.jar

<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-api-<existing_version>.jar
<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-core-<existing_version>.jar
<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-slf4j-impl-<existing_version>.jar
OR
<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-slf4j2-impl-<existing_version>.jar

3) Stop Administrative UI.

4) Delete the existing log4j jar files (Listed in Step #2)

NOTE: DO NOT delete the "module.xml" files.

5)  Copy the updated log4j2 files into the following directories:

<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-api-2.25.3.jar
<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-core-2.25.3.jar
<adminui_installation_path>\standalone\deployments\iam_siteminder.ear\sso-restapi-services.war\WEB-INF\lib\log4j-slf4j2-impl-2.25.3.jar

<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-api-2.25.3.jar
<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-core-2.25.3.jar
<adminui_installation_path>\adminui\standalone\deployments\iam_siteminder.ear\sso-security-services.war\WEB-INF\lib\log4j-slf4j2-impl-2.25.3.jar

<adminui_installation_path>\adminui\modules\com\ca\iam\log4j2\api\main\log4j-api-2.25.3.jar
<adminui_installation_path>\adminui\modules\com\ca\iam\log4j2\core\main\log4j-core-2.25.3.jar

6) Modify the 'module.xml' file in the following directories, pointing to the new 'log4j' file names

<adminui_installation_path>\modules\com\ca\iam\log4j2\api\main\module.xml
<adminui_installation_path>\modules\com\ca\iam\log4j2\core\main\module.xml

EXAMPLE:

    <resources>
        <resource-root path="log4j-api-2.25.3.jar"/>
    </resources>

7) Start the AdminUI

Additional Information

427360 Vulnerability in Log4j 2.52.2 And Older on Siteminder Application Server Agents (ASA)
427325 Vulnerability in Log4j 2.52.2 And Older on the Siteminder Policy Server
427312 Vulnerability in Log4j 2.52.2 And Older on Siteminder Access Gateway
427357 Vulnerability in Log4j 2.52.2 And Older on Siteminder SDK
427332 Vulnerability in Log4j 2.52.2 And Older on Siteminder AdminUI

Apache.org: CVE-2025-68161

CVE.org: CVE-2025-68161

CVE-2025-68161
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
CVE-2021-4104

Attachments

log4j-2.25.3_1770407073392.zip get_app
Powered by Wolken Software