Symantec Security Advisory for Log4j Vulnerability

19793

12 April 2022

10 December 2021

CLOSED

CRITICAL

10

Summary

Symantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Layer7 API Developer Portal
CVE Supported Version(s) Remediation
CVE-2021-44228 4.4 Please refer to the following KB article:
https://knowledge.broadcom.com/external/article?articleId=230205 
4.5
5.0 & 5.0 CR1
5.0.2 & 5.0.2.1

 

Layer7 API Developer Portal SaaS
CVE Supported Version(s) Remediation
CVE-2021-44228 5.0.3 Please refer to the following KB article:
https://knowledge.broadcom.com/external/article?articleId=230205 

 

Layer7 API Gateway
CVE Supported Version(s) Remediation
CVE-2021-44228 9.4 Please refer to the following KB article:
https://knowledge.broadcom.com/external/article?articleId=230205 
10.0
10.1

 

Layer7 Live API Creator
CVE Supported Version(s) Remediation
CVE-2021-44228 5.4 Please refer to the following KB article:
https://knowledge.broadcom.com/external/article?articleId=230205 
5.1-5.3 (EOS)

 

Symantec Advanced Authentication
CVE Supported Version(s) Remediation
CVE-2021-44228 9.1 Please refer to the following KB article:  https://knowledge.broadcom.com/external/article?articleId=230301
9.1.01
9.1.02

 

Symantec Endpoint Detection and Response (EDR) On-premise
CVE Supported Version(s) Remediation
CVE-2021-44228, CVE-2021-45046 2.x, 3.x, 4.x Upgrade to 4.6.8 or apply patch atp-patch-generic-4.6-1 to versions 4.6.0, 4.6.5, and 4.6.7. The product patch is only supported for versions 4.6.0 and above.  All other customers must upgrade to 4.6.8.

 

Symantec Identity Governance and Administration
CVE Supported Version(s) Remediation
CVE-2021-44228 14.2 Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230278
14.3
14.4

 

Symantec Privileged Access Manager
CVE Supported Version(s) Remediation
CVE-2021-44228, CVE-2021-45046 3.4.x Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230405 
4.0.x

 

Symantec Privileged Access Manager Server Control
CVE Supported Version(s) Remediation
CVE-2021-44228, , CVE-2021-45046 14.0.x Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230586
14.1.x

 

Symantec Privileged Identity Manager
CVE Supported Version(s) Remediation
CVE-2021-44228, , CVE-2021-45046 12.9.x Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230668 
14.0 Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230670 

 

Symantec SiteMinder (CA Single Sign-on)
CVE Supported Version(s) Remediation
CVE-2021-44228 12.8.x Policy Server Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230270 
12.8.x Administrative UI
12.8.x Access Gateway
12.8.x SDK
12.7 and 12.8 ASA Agents

 

Symantec VIP Authentication Hub (separate from Symantec VIP)
CVE Supported Version(s) Remediation
CVE-2021-44228 All Releases of AuthHub Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230768

 

Web Isolation (WI) On-premise
CVE Supported Version(s) Remediation
CVE-2021-44228 1.14 Apply the Log4j patch available on Support Downloads. Please refer to the following KB article for patch instructions: https://knowledge.broadcom.com/external/article?articleId=230812

 

The following products have not been demonstrated to be affected but may be affected. Customers are advised to apply the recommended remediations to mitigate any possible risk.

LiveUpdate Administrator (LUA)
CVE Supported Version(s) Remediation
CVE-2021-44228, CVE-2021-45046 2.3.8, 2.3.9  Upgrade to 2.3.10.

 

Symantec Endpoint Protection Manager (SEPM)
CVE Supported Version(s) Remediation
CVE-2021-44228, CVE-2021-45046 14.2 and above

A fix for Symantec Endpoint Protection Manager (SEPM) is available in 14.3 RU3 build 5427.

Please refer to the following KB article: https://knowledge.broadcom.com/external/article/230359

 

Symantec Endpoint Protection (SEP) for Mobile
CVE Remediation
CVE-2021-4104 SEP for Mobile was found affected and was already remediated.

 

Threat Defense for Active Directory (TDAD)
CVE Supported Version(s) Remediation
CVE-2021-4104 All versions  Upgrade to 3.6.2.4.

 

The following Symantec SaaS services were found to be affected. If a vulnerability was remediated in a SaaS service, customers do not need to take any additional action.

Cloud Workload Assurance (CWA)  
CVE Remediation
CVE-2021-44228, CVE-2021-45046 Some CWA dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

 

Cloud Workload Assurance (CWP) 
CVE Remediation
CVE-2021-44228, CVE-2021-45046 Some CWP dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

 

Cloud Workload Protection for Storage (CWP:S)
CVE Remediation
CVE-2021-44228, CVE-2021-45046 Some CWP:S dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

 

Email Security Service (ESS)
CVE Remediation
CVE-2021-44228, CVE-2021-45046 ESS was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 17.

 

Industrial Control System Protection (ICSP)
CVE Remediation
CVE-2021-44228, CVE-2021-45046 ICSP was found to be affected. An initial remediation was deployed on Dec 15. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 21.

 

Secure Access Cloud (SAC)
CVE Remediation
CVE-2021-44228 SAC was found affected and was already remediated.

 

Symantec Endpoint Security (SES) 
CVE Remediation
CVE-2021-44228 SES was found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

 

Web Isolation (WI) Cloud
CVE Remediation
CVE-2021-44228 WI Cloud was found affected and was already remediated.

 

Web Security Service (WSS) Reporting
CVE Remediation
CVE-2021-44228 WSS Reporting was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 16.

 

Additional Product Information

The following products are not vulnerable:
Advanced Secure Gateway (ASG)
BCAAA
CloudSOC Cloud Access Security Broker (CASB)
Content Analysis (CA)
Critical System Protection (CSP)
Data Center Security (DCS)
Data Loss Prevention (DLP)
HSM Agent
Ghost Solution Suite (GSS)
Information Centric Analytics (ICA)
Information Centric Tagging (ICT)
Integrated Cyber Defense Exchange (ICDx)
Integrated Secure Gateway (ISG)
Intelligence Services / WebFilter / WebPulse
IT Analytics (ITA)
IT Management Suite
Layer7 Mobile API Gateway
Management Center (MC)
Mirror Gateway
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Security Analytics (SA)
ServiceDesk
SSL Visibility (SSLV)
Symantec Directory
Symantec Control Compliance Suite (CCS)
Symantec Endpoint Encryption (SEE)
Symantec Endpoint Protection (SEP) Agent

Symantec Insight Private Cloud
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Messaging Gateway (SMG)
Symantec PGP Solutions
Symantec Protection Engine (SPE)
Symantec Protection for SharePoint Servers (SPSS)
Symantec VIP

Symantec Protection Bulletins

Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2021-44228 in customer environments. Refer to the following publications for more information:

Issue Details

CVE-2021-44228
Severity / CVSS v3.1: Critical / 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
References: NVD: CVE-2021-44228
Impact: Remote code execution (RCE)
Description: The Apache Log4j 2 JNDI lookup functionality allows loading executable code from remote sources. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system. Other unknown security impact is also possible.

 

CVE-2021-4104
Severity / CVSS v3.1: High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
References: NVD: CVE-2021-4104
Impact: Remote code execution
Description: Apache Log4j 1.2 allows malicious Log4j configuration files to trigger JNDI lookups and cause remote code execution. A remote attacker, with write access to the Log4 configuration, can execute arbitrary code on the target system.

 

CVE-2021-45046
Severity / CVSS v3.x: Critical / 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
References: NVD: CVE-2021-45046
Impact: Remote code execution, denial of service
Description: The Apache Log4j 2 JNDI lookup functionality allows loading executable code from remote sources. A remote attacker, who controls Thread Context Map (MDC) input data, can execute arbitrary code on the target system or cause denial of service. This vulnerability is caused by an incomplete fix to CVE-2021-44228 in certain non-default Log4j configurations. Apache Log4j 2.16 resolves this vulnerability.

 

References


Revisions

2022-01-20 20:20 ET - A fix for CVE-2021-4104 for Threat Defense for Active Directory (TDAD) is available in 3.6.2.4. Advisory Status moved to Closed.
2022-01-12 10:40 ET - SEP for Mobile was found affected for CVE-2021-4104 and was already remediated. Removed CVE-2021-4104 from under investigation for Symantec Endpoint Security (SES).
2022-01-07 00:10 ET - Added Symantec VIP Security Advisory link to the references
2021-12-27 13:20 ET - Added Symantec Endpoint Protection (SEP) for Mobile is under investigation for CVE-2021-4104.
2021-12-23 20:10 ET - The complete remediation for CVE-2021-44228 for Cloud Workload Assurance (CWA), Cloud Workload Assurance (CWP), Cloud Workload Protection for Storage (CWP:S), and Symantec Endpoint Security (SES) was deployed on Dec 23.
2021-12-21 20:00 ET - The complete remediation for Industrial Control System Protection (ICSP) was deployed on Dec 21.
2021-12-20 11:15 ET - Added CVE-2021-4104 and CVE-2021-45046.
2021-12-20 14:21 ET - On-premise Web Isolation (WI) 1.14 is affected. Apply the patch available on Support Downloads.
2021-12-20 10:20 ET - A fix for LiveUpdate Administrator (LUA) is available in 2.3.10.
2021-12-18 22:14 ET - Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2021-44228 in customer environments. See more information in the Symantec Protection Bulletins section.
2021-12-17 21:30 ET - Cloud Workload Assurance (CWA), Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), and Symantec Endpoint Security (SES) were found to be affected. An initial remediation was deployed on Dec 16. Broadcom is actively working on deploying the complete remediation.
2021-12-17 19:30 ET - A fix for Symantec Endpoint Detection and Response (EDR) On-premise is available in 4.6.8 or by applying patch atp-patch-generic-4.6-1 to versions 4.6.0, 4.6.5, and 4.6.7. 
2021-12-17 18:25 ET - Email Security Service (ESS) was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 17.
2021-12-17 16:25 ET - Web Isolation (WI) Cloud was found affected and was already remediated.
2021-12-17 14:45 ET - Moved LiveUpdate Administrator (LUA) to the Affected Product(s).
2021-12-17 12:00 ET - A fix for LiveUpdate Administrator (LUA) is available in 2.3.10.
2021-12-16 18:40 ET - Intelligence Services / WebFilter / WebPulse and Threat Defense for Active Directory (TDAD) are not vulnerable.
2021-12-16 15:00 ET - WSS Reporting was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 16.
2021-12-16 14:35 ET - Moved Cloud Workload Assurance (CWA), Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), and SES Cloud Console (SESC) to under investigation.
2021-12-16 12:55 ET - Added Symantec IGA to the Affected Product List along with mitigation instructions.
2021-12-16 12:00 ET - Secure Access Cloud (SAC) was found affected and was already remediated.
2021-12-16 9:55 ET - A fix for Symantec Endpoint Protection Manager (SEPM) is available in 14.3 RU3 build 5427.
2021-12-15 18:20 ET - Moved Web Security Service (WSS) Reporting to under investigation.
2021-12-15 14:45 ET - Moved Email Security Service (ESS) to under investigation.
2021-12-15 11:00 ET - Added Symantec Privileged Access Manager to the Affected Product List along with mitigation instructions.
2021-12-15 00:30 ET - Added Symantec Privileged Identity Manager to the Affected Product List along with mitigation instructions.
2021-12-14 19:50 ET - Symantec Endpoint Protection (SEP) for Mobile is not vulnerable.
2021-12-14 18:15 ET - Information Centric Tagging (ICT) and Symantec Insight Private Cloud are not vulnerable.
2021-12-14 17:30 ET - LiveUpdate Administrator (LUA) all supported versions are affected.
2021-12-14 15:02 ET - Email Security Service (ESS) was found affected.
2021-12-14 14:35 ET - Management Center is not vulnerable.
2021-12-14 13:05 ET - ICDx is not vulnerable.
2021-12-14 12:25 ET - SEPM 14.2 and later versions are affected.
2021-12-14 10:30 ET - Added PAM Server Control to the Affected Product List along with mitigation instructions.
2021-12-14 00:30 ET - Added Layer7 API Gateway to the Affected Product List with remediation link referring to KB article.
2021-12-13 17:45 ET - HSM Agent is not vulnerable.
2021-12-13 15:20 ET - Added Layer7 AP Developer Portal, Layer7 AP Developer Portal SaaS & Layer7 Live API Creator to the Affected Product List.
2021-12-13 18:10 ET - Content Analysis (CA), Integrated Secure Gateway (ISG), Reporter, and Mirror Gateway are not vulnerable. The WSS Reporting feature was found affected and was remediated. Remote code execution was not possible, but other unknown attack vectors may have been possible.
2021-12-13 15:20 ET - Added VIP Authentication Hub to the Affected Product List and updated the mitigation section.
2021-12-13 15:05 ET - Added Integrated Cyber Defense Exchange (ICDx) to the list of products under investigation. Advanced Secure Gateway (ASG), BCAAA, and SSL Visibility (SSLV) are not vulnerable.
2021-12-13 13:30 ET - Added Symantec SiteMinder to the Affected Product List along with remediation. Also PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-12-13 12:25 ET - Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), Industrial Control System Protection (ICSP), Critical System Protection (CSP), Cloud Workload Assurance (CWA), Information Centric Analytics (ICA), and IT Analytics (ITA) are not vulnerable.
2021-12-13 11:15 ET – Added Advanced Authentication 9.1.02 to the Affected Product List. Also Symantec Messaging Gateway (SMG) and ServiceDesk are not vulnerable.
2021-12-13 02:00 ET – Symantec Endpoint Encryption (SEE) is not vulnerable.
2021-12-12 11:45 ET – Symantec Mail Security for Microsoft Exchange (SMSMSE), Symantec Protection Engine (SPE), and Symantec Protection for SharePoint Servers (SPSS) are not vulnerable.
2021-12-12 19:20 ET – Symantec Endpoint Protection (SEP) is not vulnerable.
2021-12-12 00:20 ET – Added information about remaining Symantec products.
2021-12-11 12:30 ET - Added the proactive notification link to Advanced Authentication, Risk Authentication & Strong Authentication
2021-12-11 12:15 ET- Updated Affected Products along with link to proactive notifications, Workarounds and Updated Non-Affected Products
2021-12-11 06:00 ET - Updated Non-Affected Products & Added Link to Product Security Advisories
2021-12-11 00:30 ET- Added Recommended Mitigations & Updated Non-Affected Products
2021-12-10 20:30 ET- Initial Release