DX Unified Infrastructure Management

  • Private Community
 View Only

  • 1.  New vulnerabilities were found on Log4J 1.X

    Posted Feb 09, 2022 08:35 AM

    Hello Folks,

    Could you please help me on this issue. Which probe need to upgrade from avoid the vulnerabilities

    Vulnerability in : Log4J 1.X

    Description
    New vulnerabilities were found on Log4J 1.X, allowing to remotely execute arbitrary code.

    Related CVE

    CVE-2022-23302
    CVE-2022-23305
    CVE-2022-23307

    Impacted platforms & versions
    All versions of Log4j 1.x

    Thanks in advance !
    Akash Saini



  • 2.  RE: New vulnerabilities were found on Log4J 1.X

    Broadcom Employee
    Posted Feb 09, 2022 08:39 AM
    Hi Akash,

    You can refer to the below article to understand everything about DX UIM and log4j impact:
    https://knowledge.broadcom.com/external/article?articleId=230333

    ------------------------------
    Principal Product Manager
    Broadcom Software
    ------------------------------

    Original Message


  • 3.  RE: New vulnerabilities were found on Log4J 1.X

    Posted Feb 09, 2022 09:05 AM
    Hello Ravishu,

    Thanks for update -Its related to CVE-2021(https://knowledge.broadcom.com/external/article?articleId=230333)and we already applied all fix,

    And my concern for below CVE-
    CVE-2022-23302
    CVE-2022-23305
    CVE-2022-23307

    Original Message


  • 4.  RE: New vulnerabilities were found on Log4J 1.X

    Broadcom Employee
    Posted Feb 09, 2022 09:37 AM
    Glad to hear that you have applied all fixes already!

    At Broadcom, security is a priority for us and we have proactively decided to upgrade our log4j instances to the latest versions. We have already released multiple waves of various probes that have been upgraded to the latest and greatest, and there are more to come.

    Please visit the release notes for the probes that you are using in the TechDocs to see the latest release updates for each of them.

    ------------------------------
    Principal Product Manager
    Broadcom Software
    ------------------------------

    Original Message


  • 5.  RE: New vulnerabilities were found on Log4J 1.X

    Posted Feb 10, 2022 05:23 AM
    Hello Folks,

    Any one have any article or docs for avoid the vulnerabilities in Log4J 1.X

    Related CVE

    CVE-2022-23302
    CVE-2022-23305
    CVE-2022-23307

    Impacted platforms & versions
    All versions of Log4j 1.x



    Thanks in advance !

    Original Message


  • 6.  RE: New vulnerabilities were found on Log4J 1.X

    Posted Feb 10, 2022 11:27 AM
    The discussion of the exploit usually has this information. The first one says;

    JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

    So the mitigation here would be to ensure that the attacker does not have write access and that you aren't using LDAP related to the probe. 

    Or stop using the probe that includes the version of the logging utilities. 

    Or you could try deleting that class from the affected jar file and see if the code still runs. It might or it might not.
    Original Message


  • 7.  RE: New vulnerabilities were found on Log4J 1.X

    Posted Feb 17, 2022 03:52 AM
    Thanks Garin,
    Original Message