Original Message:
Sent: Jan 03, 2022 08:12 PM
From: Judy Huntington
Subject: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability
I downloaded and applied the patch to my servers for dseries 12.2 Server but now the security team at my company is saying that 2.16 still has vulnerability and want to know when we can update to 2.17. Is there a plan for your Product Team to create a patch to update the log4j2.x version to log4j 2.17? And, if so is there a release date? I need to communicate this to my security team as quickly as possible. Thanks
Original Message:
Sent: Dec 24, 2021 01:52 AM
From: Ravi Kiran Kunduri
Subject: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability
Product team has come up with the following patches that are updated in the kb article - https://knowledge.broadcom.com/external/article/230329/cve202144228-log4j-vulnerability-and-es.html which will update the log4j2.x version to log4j 2.16.
DE Server / Web Client Patches:
ESP Workload Automation DE and Web Client patches to address Log4j Vulnerability patched with log4j.2.16 jar version.
Web Client (12.3.00.00-2321) – 99111317 -- https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111317&os=MULTI-PLATFORM
DE (dSeries) Server – 99111315 -- https://support.broadcom.com/download-center/solution-detail.html?aparNo=99111315&os=MULTI-PLATFORM
Web Client Patch is only for r12.3 version, other supported web client versions are not affected (Normal Cumulative patch).
DE (dSeries) Server Patch is for r12.1, r12.2, r12.3 supported DE versions. No need to shutdown the server. This has to be applied on Server, Standby and Standalone installation.
Original Message:
Sent: Dec 13, 2021 12:29 AM
From: Ravi Kiran Kunduri
Subject: dSeries / Agents Security Advisory for Log4j 2 CVE-2021-44228 Vulnerability
****Please note that the mitigation procedure is updated by Apache and as a result , we have updated the kb article - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE. Please review it again for the new procedure.****
ESP dSeries Workload Automation product team has investigated an Apache Log4j 2 remote code execution vulnerability that was recently reported to Apache. CVE identifier CVE-2021-44228 has been assigned to this vulnerability. This is a Critical vulnerability, and exploit code is in the wild. The Log4j team has addressed the vulnerability in Log4j 2.15.0.
Log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1
CVE-2021-44228 Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Please note that dSeries is shipping log4j 2.11.0 version in migration folder of server in 12.1 to 12.3 releases from the supported versions . Please review the article - CVE-2021-44228 - log4j vulnerability and ESP dSeries Workload Automation DE
Please note that Agents are not shipping any version of log4j.
Added comments for Web Client as well -
We have reviewed the Web Client log4j during analyzing all the components and since we use SpringBoot component for it, according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
"Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable. "
Since we are using default spring logging , so we are not affected by this even though the log4j2 jars are present in 12.3 version.