Release Automation

View Only

CA Release Automation - Run Deployment Plan plugin update to mitigate CVE-2021-44228

Jump to Best Answer

Nishaat Rajabali posted Dec 17, 2021 06:38 AM

We are currently using

CA Release Automation - Run Deployment Plan

(Nolio)

5.0.9

We noticed the plugin on the agent side is using

\plugins\deploy-runner-agent\lib\log4j-1.2.12.jar

Can you confirm if the 5.0.9 is affected by log4j vulnerability CVE-2021-44228??

If yes then when can we expect an updated version?

Thanks
Nish

Broadcom Employee Saurabh Jain posted Dec 19, 2021 11:27 PM Best Answer

Hi Nish,

CA Release Automation(CARA), a.k.a. Nolio (all supported versions) is not affected by this vulnerability (CVE-2021-44228) as the Log4j version used in Nolio is outside the affected range (Log4j 2.0 - 2.14.1).

CA Release Automation(CARA), a.k.a. Nolio (all supported versions) is not affected by this vulnerability (CVE-2021-4041) as it only affects Log4j 1.2 when specifically configured to use JMSAppender - which is not used in Nolio.

Please refer the KB for more details https://knowledge.broadcom.com/external/article?articleId=230302

Let us know in case of any further query.

Regards,
Saurabh