Support Content Notification - Support Portal

BSA-2021-1652

Product/Component

Brocade Fabric OS

2 more products

Notification Id

21312

Last Updated

21 December 2021

Initial Publication Date

11 December 2021

Status

Closed

Severity

High

CVSS Base Score

8.1

WorkAround

Affected CVE

CVE-2021-4104

Summary

Security Advisory ID : BSA-2021-1652

Component : JMSAppender in Log4j 1.2

Revision : 1.0

CVE-2021-4104 - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Brocade has investigated its product line to determine the exposure of Brocade Fibre Channel products from Broadcom.

Products Confirmed Not Vulnerable

No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.

Revision History

Version	Change	Date
1.0	Initial Publication	December 11, 2021