Security Advisory: CVE-2019-17571 and CVE-2021-4104 log4j 1.2 vulnerability and Broadcom/CA APM

Products Affected:

• APM
• DX Application Performance Management
• DX SaaS
• CA Application Performance Management (APM / Wily / Introscope)
• CA Application Performance Management Agent (APM / Wily / Introscope)
• DX APM SaaS

Description:

CVE-2019-17571

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVE-2021-4104

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. 

Environment

• APM SaaS and APM on Premise 
• APM 9.7, 10.0, 10.1, 10.2, 10.3, 10.5, 10.7.x, 10.8.0, 11.x,20.x, 21.x and 22.x
• APMSQL Server 10.5 and 10.7.x,10.8.0

Resolution

• Broadcom Engineering has determined that core APM 9.7 thru APM 10.8.0 servers (Collectors/MOMs/TESS/TIM/WebView) and APM 9.7 thru APM 10.7/10.8.0/11.x/SaaS/20.x/21.x java based agents (i.e. Weblogic, Websphere, Tomcat, EPAgent, UMA,...) are not affected by the above CVEs because APM is using a forked and customized version of Log4j 1.2 which has been optimized and modified from the original Log4j 1.2 and APM does not enable the SocketServer or JMSAppender classes.  This forked and customized version of Log4j 1.2 is maintained by Broadcom and does not rely on external support.
• Broadcom Engineering has determined that the external APMSQL Server bundle available as an additional download for APM 10.5 and 10.7/10.8.0 uses an affected version of the Log4j 1.2 and it's use should be discontinued.  To replace this functionality, please use the built-in APM RestAPI instead.  Please refer to the APM documentation usage of the APM RestAPI to remotely query/download APM metrics over http/https connections.
• APM SaaS and APM 20.2/21.3.1 customers may choose to upgrade their CloudProxy servers to the latest release (21.3.1 HF1) which is available the current SaaS download page or as a separate download on the APM support site.  This new version of CloudProxy has been upgraded to Log4j 2.17 to mitigate any false positives related to security scans.  All versions of cloud proxy do use the affected API from CVE-2019-17571 and CVE-2021-4104.

Should you have any further questions or concerns, please open a case with Broadcom Support.