Symantec Security Advisory for Log4j Vulnerability

Summary

Symantec products may be susceptible to a flaw in the Apache Log4j 2 library JNDI lookup mechanism. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Layer7 API Developer Portal

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 4.4 | Please refer to the following KB article:
<https://knowledge.broadcom.com/external/article?articleId=230205&gt;
4.5
5.0 & 5.0 CR1
5.0.2 & 5.0.2.1

Layer7 API Developer Portal SaaS

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 5.0.3 | Please refer to the following KB article:
<https://knowledge.broadcom.com/external/article?articleId=230205&gt;

Layer7 API Gateway

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 9.4 | Please refer to the following KB article:
<https://knowledge.broadcom.com/external/article?articleId=230205&gt;
10.0
10.1

Layer7 Live API Creator

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 5.4 | Please refer to the following KB article:
<https://knowledge.broadcom.com/external/article?articleId=230205&gt;
5.1-5.3 (EOS)

Symantec Advanced Authentication

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 9.1 | Please refer to the following KB article: https://knowledge.broadcom.com/external/article?articleId=230301
9.1.01
9.1.02

Symantec Endpoint Detection and Response (EDR) On-premise

CVE |Supported Version(s)|Remediation
CVE-2021-44228, CVE-2021-45046 | 2.x, 3.x, 4.x | Upgrade to 4.6.8 or apply patch atp-patch-generic-4.6-1 to versions 4.6.0, 4.6.5, and 4.6.7. The product patch is only supported for versions 4.6.0 and above. All other customers must upgrade to 4.6.8.

Symantec Identity Governance and Administration

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 14.2 | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230278&gt;
14.3
14.4

Symantec Privileged Access Manager

CVE |Supported Version(s)|Remediation
CVE-2021-44228, CVE-2021-45046 | 3.4.x | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230405&gt;
4.0.x

Symantec Privileged Access Manager Server Control

CVE |Supported Version(s)|Remediation
CVE-2021-44228, , CVE-2021-45046 | 14.0.x | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230586&gt;
14.1.x

Symantec Privileged Identity Manager

CVE |Supported Version(s)|Remediation
CVE-2021-44228, , CVE-2021-45046 | 12.9.x | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230668&gt;
14.0 | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230670&gt;

Symantec SiteMinder (CA Single Sign-on)

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 12.8.x Policy Server | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230270&gt;
12.8.x Administrative UI
12.8.x Access Gateway
12.8.x SDK
12.7 and 12.8 ASA Agents

Symantec VIP Authentication Hub(separate from Symantec VIP)

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | All Releases of AuthHub | Please refer to the following KB article: <https://knowledge.broadcom.com/external/article?articleId=230768&gt;

Web Isolation (WI) On-premise

CVE |Supported Version(s)|Remediation
CVE-2021-44228 | 1.14 | Apply the Log4j patch available on Support Downloads. Please refer to the following KB article for patch instructions: <https://knowledge.broadcom.com/external/article?articleId=230812&gt;

The following products have not been demonstrated to be affected but may be affected. Customers are advised to apply the recommended remediations to mitigate any possible risk.

LiveUpdate Administrator (LUA)

CVE |Supported Version(s)|Remediation
CVE-2021-44228, CVE-2021-45046 | 2.3.8, 2.3.9 | Upgrade to 2.3.10.

Symantec Endpoint Protection Manager (SEPM)

CVE |Supported Version(s)|Remediation
CVE-2021-44228, CVE-2021-45046 | 14.2 and above |

A fix for Symantec Endpoint Protection Manager (SEPM) is available in 14.3 RU3 build 5427.

Please refer to the following KB article: <https://knowledge.broadcom.com/external/article/230359&gt;

Symantec Endpoint Protection (SEP) for Mobile

CVE |Remediation
CVE-2021-4104 | SEP for Mobile was found affected and was already remediated.

Threat Defense for Active Directory (TDAD)

CVE |Supported Version(s)|Remediation
CVE-2021-4104 | All versions | Upgrade to 3.6.2.4.

The following Symantec SaaS services were found to be affected. If a vulnerability was remediated in a SaaS service, customers do not need to take any additional action.

Cloud Workload Assurance (CWA)

CVE |Remediation
CVE-2021-44228, CVE-2021-45046 | Some CWA dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

Cloud Workload Assurance (CWP)

CVE |Remediation
CVE-2021-44228, CVE-2021-45046 | Some CWP dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

Cloud Workload Protection for Storage (CWP:S)

CVE |Remediation
CVE-2021-44228, CVE-2021-45046 | Some CWP:S dependencies were found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

Email Security Service (ESS)

CVE |Remediation
CVE-2021-44228, CVE-2021-45046 | ESS was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 17.

Industrial Control System Protection (ICSP)

CVE |Remediation
CVE-2021-44228, CVE-2021-45046 | ICSP was found to be affected. An initial remediation was deployed on Dec 15. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 21.

Secure Access Cloud (SAC)

CVE |Remediation
CVE-2021-44228 | SAC was found affected and was already remediated.

Symantec Endpoint Security (SES)

CVE |Remediation
CVE-2021-44228 | SES was found to be affected. An initial remediation was deployed on Dec 16. The complete remediation was deployed on Dec 23.

Web Isolation (WI) Cloud

CVE |Remediation
CVE-2021-44228 | WI Cloud was found affected and was already remediated.

Web Security Service (WSS) Reporting

CVE |Remediation
CVE-2021-44228 | WSS Reporting was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 16.

Additional Product Information

The following products are not vulnerable:
**Advanced Secure Gateway (ASG)
BCAAA
CloudSOC Cloud Access Security Broker (CASB)
Content Analysis (CA)
Critical System Protection (CSP)
Data Center Security (DCS)
Data Loss Prevention (DLP)
HSM Agent
Ghost Solution Suite (GSS)
Information Centric Analytics (ICA)
Information Centric Tagging (ICT)
Integrated Cyber Defense Exchange (ICDx)
Integrated Secure Gateway (ISG)
****Intelligence Services / WebFilter / WebPulse
IT Analytics (ITA)
IT Management Suite
****Layer7 Mobile API Gateway
Management Center (MC)
Mirror Gateway
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Security Analytics (SA)
ServiceDesk
SSL Visibility (SSLV)
Symantec Directory
Symantec Control Compliance Suite (CCS)
Symantec Endpoint Encryption (SEE)
Symantec Endpoint Protection (SEP) Agent
Symantec Insight Private Cloud
Symantec Mail Security for Microsoft Exchange (SMSMSE)
Symantec Messaging Gateway (SMG)
Symantec PGP Solutions
Symantec Protection Engine (SPE)
Symantec Protection for SharePoint Servers (SPSS)
Symantec VIP

---

Symantec Protection Bulletins

Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2021-44228 in customer environments. Refer to the following publications for more information:

• Symantec Web Application Firewall (WAF) Protection: <https://knowledge.broadcom.com/external/article/230903&gt;
• Symantec Protection Bulletin: <https://www.broadcom.com/support/security-center/protection-bulletin#blt3e71edabe2937935_en-us&gt;

Issue Details

CVE-2021-44228

Severity / CVSS v3.1: | Critical / 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) References:| NVD: CVE-2021-44228 Impact:| Remote code execution (RCE) Description: | The Apache Log4j 2 JNDI lookup functionality allows loading executable code from remote sources. A remote attacker, who can trigger Log4j to log crafted malicious strings, can execute arbitrary code on the target system. Other unknown security impact is also possible.

CVE-2021-4104

Severity / CVSS v3.1: | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2021-4104 Impact:| Remote code execution Description: | Apache Log4j 1.2 allows malicious Log4j configuration files to trigger JNDI lookups and cause remote code execution. A remote attacker, with write access to the Log4 configuration, can execute arbitrary code on the target system.

CVE-2021-45046

Severity / CVSS v3.x: | Critical / 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) References:| NVD: CVE-2021-45046 Impact:| Remote code execution, denial of service Description: | The Apache Log4j 2 JNDI lookup functionality allows loading executable code from remote sources. A remote attacker, who controls Thread Context Map (MDC) input data, can execute arbitrary code on the target system or cause denial of service. This vulnerability is caused by an incomplete fix to CVE-2021-44228 in certain non-default Log4j configurations. Apache Log4j 2.16 resolves this vulnerability.

References

• Apache Log4j Security Vulnerabilities - <https://logging.apache.org/log4j/2.x/security.html&gt;
• Symantec VIP Security Advisory - <https://knowledge.broadcom.com/external/article/230287/symantec-vip-security-advisory-for-log4j.html&gt;

**
Revisions**

2022-01-20 20:20 ET - A fix for CVE-2021-4104 for Threat Defense for Active Directory (TDAD) is available in 3.6.2.4. Advisory Status moved to Closed.
2022-01-12 10:40 ET - SEP for Mobile was found affected for CVE-2021-4104 and was already remediated. Removed CVE-2021-4104 from under investigation for Symantec Endpoint Security (SES).
2022-01-07 00:10 ET - Added Symantec VIP Security Advisory link to the references
2021-12-27 13:20 ET - Added Symantec Endpoint Protection (SEP) for Mobile is under investigation for CVE-2021-4104.
2021-12-23 20:10 ET - The complete remediation for CVE-2021-44228 for Cloud Workload Assurance (CWA), Cloud Workload Assurance (CWP), Cloud Workload Protection for Storage (CWP:S), and Symantec Endpoint Security (SES) was deployed on Dec 23.
2021-12-21 20:00 ET - The complete remediation for Industrial Control System Protection (ICSP) was deployed on Dec 21.
2021-12-20 11:15 ET - Added CVE-2021-4104 and CVE-2021-45046.
2021-12-20 14:21 ET - On-premise Web Isolation (WI) 1.14 is affected. Apply the patch available on Support Downloads.
2021-12-20 10:20 ET - A fix for LiveUpdate Administrator (LUA) is available in 2.3.10.
2021-12-18 22:14 ET - Multiple Symantec products can detect and provide protection against attacks exploiting CVE-2021-44228 in customer environments. See more information in the Symantec Protection Bulletins section.
2021-12-17 21:30 ET - Cloud Workload Assurance (CWA), Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), and Symantec Endpoint Security (SES) were found to be affected. An initial remediation was deployed on Dec 16. Broadcom is actively working on deploying the complete remediation.
2021-12-17 19:30 ET - A fix for Symantec Endpoint Detection and Response (EDR) On-premise is available in 4.6.8 or by applying patch atp-patch-generic-4.6-1 to versions 4.6.0, 4.6.5, and 4.6.7.
2021-12-17 18:25 ET - Email Security Service (ESS) was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 17.
2021-12-17 16:25 ET - Web Isolation (WI) Cloud was found affected and was already remediated.
2021-12-17 14:45 ET - Moved LiveUpdate Administrator (LUA) to the Affected Product(s).
2021-12-17 12:00 ET - A fix for LiveUpdate Administrator (LUA) is available in 2.3.10.
2021-12-16 18:40 ET - Intelligence Services / WebFilter / WebPulse and Threat Defense for Active Directory (TDAD) are not vulnerable.
2021-12-16 15:00 ET - WSS Reporting was found to be affected. An initial remediation was deployed on Dec 13. Further investigation showed that the initial remediation is no longer considered sufficient. The complete remediation was deployed on Dec 16.
2021-12-16 14:35 ET - Moved Cloud Workload Assurance (CWA), Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), and SES Cloud Console (SESC) to under investigation.
2021-12-16 12:55 ET - Added Symantec IGA to the Affected Product List along with mitigation instructions.
2021-12-16 12:00 ET - Secure Access Cloud (SAC) was found affected and was already remediated.
2021-12-16 9:55 ET - A fix for Symantec Endpoint Protection Manager (SEPM) is available in 14.3 RU3 build 5427.
2021-12-15 18:20 ET - Moved Web Security Service (WSS) Reporting to under investigation.
2021-12-15 14:45 ET - Moved Email Security Service (ESS) to under investigation.
2021-12-15 11:00 ET - Added Symantec Privileged Access Manager to the Affected Product List along with mitigation instructions.
2021-12-15 00:30 ET - Added Symantec Privileged Identity Manager to the Affected Product List along with mitigation instructions.
2021-12-14 19:50 ET - Symantec Endpoint Protection (SEP) for Mobile is not vulnerable.
2021-12-14 18:15 ET - Information Centric Tagging (ICT) and Symantec Insight Private Cloud are not vulnerable.
2021-12-14 17:30 ET - LiveUpdate Administrator (LUA) all supported versions are affected.
2021-12-14 15:02 ET - Email Security Service (ESS) was found affected.
2021-12-14 14:35 ET - Management Center is not vulnerable.
2021-12-14 13:05 ET - ICDx is not vulnerable.
2021-12-14 12:25 ET - SEPM 14.2 and later versions are affected.
2021-12-14 10:30 ET - Added PAM Server Control to the Affected Product List along with mitigation instructions.
2021-12-14 00:30 ET - Added Layer7 API Gateway to the Affected Product List with remediation link referring to KB article.
2021-12-13 17:45 ET - HSM Agent is not vulnerable.
2021-12-13 15:20 ET - Added Layer7 AP Developer Portal, Layer7 AP Developer Portal SaaS & Layer7 Live API Creator to the Affected Product List.
2021-12-13 18:10 ET - Content Analysis (CA), Integrated Secure Gateway (ISG), Reporter, and Mirror Gateway are not vulnerable. The WSS Reporting feature was found affected and was remediated. Remote code execution was not possible, but other unknown attack vectors may have been possible.
2021-12-13 15:20 ET - Added VIP Authentication Hub to the Affected Product List and updated the mitigation section.
2021-12-13 15:05 ET - Added Integrated Cyber Defense Exchange (ICDx) to the list of products under investigation. Advanced Secure Gateway (ASG), BCAAA, and SSL Visibility (SSLV) are not vulnerable.
2021-12-13 13:30 ET - Added Symantec SiteMinder to the Affected Product List along with remediation. Also PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-12-13 12:25 ET - Cloud Workload Protection (CWP), Cloud Workload Protection for Storage (CWP:S), Industrial Control System Protection (ICSP), Critical System Protection (CSP), Cloud Workload Assurance (CWA), Information Centric Analytics (ICA), and IT Analytics (ITA) are not vulnerable.
2021-12-13 11:15 ET - Added Advanced Authentication 9.1.02 to the Affected Product List. Also Symantec Messaging Gateway (SMG) and ServiceDesk are not vulnerable.
2021-12-13 02:00 ET - Symantec Endpoint Encryption (SEE) is not vulnerable.
2021-12-12 11:45 ET - Symantec Mail Security for Microsoft Exchange (SMSMSE), Symantec Protection Engine (SPE), and Symantec Protection for SharePoint Servers (SPSS) are not vulnerable.
2021-12-12 19:20 ET - Symantec Endpoint Protection (SEP) is not vulnerable.
2021-12-12 00:20 ET - Added information about remaining Symantec products.
2021-12-11 12:30 ET - Added the proactive notification link to Advanced Authentication, Risk Authentication & Strong Authentication
2021-12-11 12:15 ET- Updated Affected Products along with link to proactive notifications, Workarounds and Updated Non-Affected Products
2021-12-11 06:00 ET - Updated Non-Affected Products & Added Link to Product Security Advisories
2021-12-11 00:30 ET- Added Recommended Mitigations & Updated Non-Affected Products
2021-12-10 20:30 ET- Initial Release