Support Content Notification - Support Portal

Security Advisory for Log4j vulnerability

Product/Component

CA Advanced Authentication

4 more products

Notification Id

19795

Last Updated

04 January 2022

Initial Publication Date

11 December 2021

Status

OPEN

Severity

Critical

CVSS Base Score

WorkAround

Affected CVE

To: Symantec Advanced Authentication Customers

From: The Symantec Advanced Authentication Product Team

Subject: Security Advisory for Log4j vulnerability

Dear Symantec Advanced Authentication customer,

The purpose of this Advisory is to inform you of a potential problem that has been recently identified affecting the Symantec Advanced Authentication product due to the reported “Log4j vulnerabilities”. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.

PRODUCT AFFECTED: Symantec Advanced Authentication versions: 9.1, 9.1.01, 9.1.02

PROBLEM DESCRIPTION:

Log4j Versions Affected: All versions from 1.2 -beta9 to 2.16.1

Following are the vulnerabilities reported on Log4j:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed.

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

SOLUTION:

In log4j 2.17.0 impacted vulnerabilities have been resolved.

The Symantec Advanced Authentication product version 9.1, 9.1.01 and 9.1.02 integrated with the log4j 2.17.0 and provided patch which is available for all its customers and can be downloaded from https://support.broadcom.com/ under Download Management -> Solution Download.

Broadcom Software customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact Broadcom Software Support at https://support.broadcom.com/.