Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?
Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Which ArcSight products are vulnerable to the CVE?
What is the Patch Release Program or Mitigation for the topic?
Case responds for Logger 7.0:
Please be informed that Logger 7.0 is not affected by CVE-2021-44228. However, logger version 7.2 and higher version might be affected
Our internal team are aware of this CVE and currently working on it. In the meantime, please avoid unnecessary upgradation until we have new update regard to this.
Still waiting on support RE Smartconn 8.2 ( the lib exisits)
ArcMc seems ok for us but we need to know on the Smartconn. Support are not covering themselves in Glory with this . I woudl expect MF to have a boiler plate response by now and know what was at risk
The Statement that I got from support is below[1] However read second part of the truth [2]
[1]:
1) Pre-ESM 7.5: not impacted
ESM 7.5 and above impacted
2) SC pre-8.2: not impacted
8.2 and above: impacted
3) Logger pre-7.2: not impacted
7.2 and above: impacted
4) ArcMc is not impacted as it ships log4j 1.x but connectors running on arcmc appliances would be impacted if at v8.2+
[2]:
the above Statement must be taken with a grain of salt and a proper understanding on how you read things. I am not saying that the versions are affrected or not - think yourself when you read this:
“Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.“
https://logging.apache.org/log4j/2.x/security.html
And just check for log4j in your installations. Everything not listed in 1-4) might still use log4j 1.x and might be vulnerable as well.
Enjoy
A.
The JNDI feature was added into log4j 2.0-beta9.
log4j 1.x thus does not have the vulnerable code.
source:
stackoverflow.com/.../log4j-vulnerability-is-log4j1-2-17-vulnerable-was-unable-to-find-any-jndi-cod
Kyle Pearson dalesio Jeremy Lahners
Any updates on an official web-page?
JMSAppender might be affected in edge-cases (sorry i am not a programmer, just reading the news)
The CVE for that
access.redhat.com/.../CVE-2021-4104
@vitz1, there will be an official statement from MF soon.
OpenText Community Manager
If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button