Layer7 API Management

 View Only
Expand all | Collapse all

Layer7 API Gateway - Log4J - CVE-2021-44228

  • 1.  Layer7 API Gateway - Log4J - CVE-2021-44228

    Broadcom Employee
    Posted Dec 10, 2021 06:17 PM

    Date: Dec 10, 2021

    Dear Broadcom Customer,

     

    The purpose of this Advisory is to inform you of a critical vulnerability that has been recently identified with the log4j library under vulnerability, CVE-2021-44228.

    We are investigating the impact for the Layer7 API Gateway in detail at this time. Preliminary investigation shows that the API Gateway is not affected as it does not include "JndiLookup.class" in any of the versions. At this time no action is required for the Layer7 API gateway related to the CVE. We will post further updates as and when they become available.

     

    If you have any questions about this Advisory, please contact Broadcom Support. 

    Thank you,

    Broadcom Product Team



  • 2.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 11, 2021 02:55 PM
    Is Live API Creator impacted as well?


  • 3.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Broadcom Employee
    Posted Dec 16, 2021 03:53 PM
    LAC is impacted, please check Symantec wide announcement.


  • 4.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 12, 2021 07:32 PM
    Is API Developer Portal impacted as well?


  • 5.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 13, 2021 10:33 AM

    As per the article published at below link, initial assessment indicates no impact on the Portal.
    https://knowledge.broadcom.com/external/article?articleId=230293

    Over the support ticket , I was told that they are still finalizing the review and we will get an announcement soon.

    Thanks,
    aDARSH


  • 6.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 14, 2021 03:47 AM
    I fear there's a typo in the link above, I suppose it should be https://knowledge.broadcom.com/external/article?articleId=230205. Anyway, we still have API Portal 3.5 customers out there. Though this version is EOS, I'd appreciate if you could also share how they are affected, and recommendations for mitigation. Thanks, Dirk

    ------------------------------
    APIIDA AG
    Germany
    ------------------------------



  • 7.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 16, 2021 02:42 PM
    Hi,

    Do API Portal Version 3.5  effected with log4j issue ?

    The below article shared couldn't find 
    https://knowledge.broadcom.com/external/article?articleId=230293


  • 8.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Broadcom Employee
    Posted Dec 16, 2021 05:49 PM
    Edited by Wai Yin Chee Dec 16, 2021 05:54 PM
    Hi - Our brief assessment on API Portal 3.5 indicates that this version is not impacted by the log4j version indicated in the CVE. Please note that API Portal 3.5 has reached EOL. We advise that you upgrade to later versions of the API Developer Portal as soon as possible. 



  • 9.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Broadcom Employee
    Posted Dec 16, 2021 04:32 PM
    Portal is impacted, please check Symantec wide announcement.


  • 10.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Broadcom Employee
    Posted Dec 16, 2021 05:35 PM
    Please see the following Symantec Product Advisory update having KB article link to the mitigation steps for API Developer Portal.


  • 11.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 13, 2021 03:15 PM
    Amogh, can you request Broadcom to send out customer wide notification on no impact? This will save Broadcom few 100's cases on this topic.


  • 12.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Broadcom Employee
    Posted Dec 13, 2021 06:29 PM
    Edited by Amogh Agrawal Dec 13, 2021 06:30 PM
    Hi Aniket,

    We have already sent out customer wide notification. There has been another consolidated notification published as well. We are trying to reach out to customers with all possible channels so everyone will have latest updates. Besides Symantec wide updates, we (Layer7 APIM) will be putting out another notification before EOD today.

    Thanks,
    Amogh.


  • 13.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 14, 2021 11:42 AM
    There seems to be conflicting information regarding the API Gateway.  In this security advisory the preliminary finding is that the API Gateway is not affected:

    https://support.broadcom.com/external/content/security-advisories/Layer7-API-Gateway-Security-Advisory-Log4J-CVE-2021-44228/19791

    However, in this KB article it indicates that the API Gateway should be updated but there are no directions given specific to the API Gateway:

    https://knowledge.broadcom.com/external/article?articleId=230205

    We need clarification on the API Gateway specifically.  At this time, is it recommended to update the API Gateway or not?


  • 14.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 14, 2021 03:12 PM
    Amogh,

    Obviously your answer isn't reliable 100%, when Broadcom is publishing articles on the side that says Layer7 API Gateway is impacted. Please read the answers from Jackie Wilson.

    Not sure what to rely on, community posts or support cases or info on our own.


  • 15.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228

    Posted Dec 14, 2021 09:48 AM
    Hi,

    Any update on the possible impact on Layer 7 API Gateway? I still don't see it listed as either affected or non-affected on Security Advisory page
    https://support.broadcom.com/security-advisory/content/security-advisories/Broadcom-Enterprise-Software-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/ESDSA19792?secured=1


  • 16.  RE: Layer7 API Gateway - Log4J - CVE-2021-44228
    Best Answer

    Broadcom Employee
    Posted Dec 14, 2021 03:09 PM
    Hi Menno,

    API Gateway is not impacted but SSO SDK is impacted. I have just published an announcement. All customers will receive it soon enough.

    Thanks,
    Amogh.