NetWitness Community

RSA has been made aware of several vulnerabilities affecting Apache Log4j2.

Recent Log4j2 disclosures:

• CVE-2021-44228 – Log4j2 – jпdi:ldap RCE
• CVE-2021-44832 - Log4j2 - Local configuration exploit
• CVE-2021-45046 – Log4j2 - Thread Context Map
• CVE-2021-45105 – Log4j2 – Uncontrolled Recursion (DoS)

Log4j2 is an open-source Java-based logging utility used in enterprise and cloud applications. An attacker could use this vulnerability to take control of affected systems. We are reviewing the impact to our products.

The following components are not vulnerable to the recent Log4j2 disclosures and are not affected:

• SecurID Authentication Manager
• SecurID Authentication Manager Agents
• SecurID Authentication Manager Prime (Packaged Solution)
• SecurID Authentication Manager WebTier
• SecurID Cloud Authentication Service
• SecurID Identity Router (a component of Cloud Authentication Service)
• SecurID Governance and Lifecycle (SecurID G&L)
• SecurID Governance and Lifecycle Cloud (SecurID G&L Cloud)
• SecurID Governance and Lifecycle Data Reach (Packaged Solution)

We are continuing to review, analyze and monitor our components to ensure that there is no impact.

SecurID recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability. Software changes, including security updates, are carefully evaluated for impact to overall system reliability.

Third-Party Embedded Components:

The following components included a third-party update which is not used, but contained an embedded version of Log4j2 version 2.11:

• SecurID Authentication Manager 8.6 Patch 1
• SecurID G&L: Data Reach (Packaged Solution)

This embedded version of Log4j2 version 2.11 is neither used nor exploitable as confirmed by our third-party vendor, though vulnerability scanners may identify the library as vulnerable. We are evaluating vendor recommendations on the removal of these unused libraries as an interim measure. We will evaluate and incorporate updates as received from our vendors. 

All components and packaged products listed above utilize a Java Runtime Environment (JRE) that has mitigations against this and other attacks.

SecurID Developed Components:

Components developed by SecurID do not utilize any of the Log4j2 libraries (i.e., no log2j version 2.x libraries are included).

SecurID Cloud Authentication Service
No log4j interfaces of any version are used in the product. The component is based on a different logging framework core.

SecurID Authentication Manager
This component utilizes a SecurID internally maintained and supported version of a log4j 1.2.x library separate and distinct from the Apache branch. This is a SecurID internal, special-purpose implementation and has no known, exploitable vulnerabilities.

SecurID Governance and Lifecycle
This component utilizes specific interfaces in a publicly available version of a log4j 1.2.x library. Only basic logging interfaces are utilized. The vulnerable classes are not used by the solution and the solution does not provide external access to the logging configuration.

Frequently Asked Questions:

Q: What should I do if I've already applied SecurID Authentication Manager 8.6 Patch 1?

This version is not vulnerable to this issue. This version contains several critical security updates.

Q: What if I am using SecurID G&L: Data Reach?

This component is not vulnerable to this issue.

Q: Is RSA Access Manager vulnerable?

The RSA Access Manager component is not vulnerable to this issue. Primary support for RSA Access Manager has ended, with Extended Support Level 2 available. Please refer to the Product Version Life Cycle for more information.

Q: What if I have an Integrated Dell Remote Access Controller (iDRAC) on my appliance?

This component is not vulnerable to this issue. Please refer to the Dell response to the Apache Log4j remote code execution vulnerability (CVE-2021-44228).

Q: What about other Log4j defects?

As of this advisory, none of the above listed components have outstanding, unmitigated vulnerabilities related to Log4j.

The following table summarizes prior Log4j issues:

Next Steps

We are continuing to monitor these vulnerabilities. As we continue to review, RSA systems will be updated with the latest indicators of compromise (IOCs) and will continuously monitor any use of this software in our environments.

This page will be updated with relevant information as RSA deems necessary. Please check back regularly for more information or direct specific concerns to your RSA Account Manager and/or RSA Customer Support representative.

Legal Information

Read and use the information in this RSA Customer Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates distribute RSA Customer Advisories in order to bring to the attention of users of the affected RSA products important product information.

RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.