Skip links

Symantec SiteMinder and the Log4j vulnerability

As most people have probably heard by now, a serious vulnerability related to the use of Log4j has been discovered. It didn’t impact any of our SiteMinder customers, but they were still required by their management to mitigate the issue. Broadcom published a resolution to address any concerns a customer may have concerning Symantec SiteMinder and the Log4j vulnerability, but we wanted to provide a few supplemental tips that might ease your mitigation efforts if you have yet to complete them.

Note: The Broadcom instructions are located at https://knowledge.broadcom.com/external/article?articleId=230270

Preparation

After reading the Broadcom notes but before starting your efforts, please consider the following tips:

  • There are 4 sets of instructions for the five vulnerabilities, but only the CVE-2021-44228 vulnerability impacts SiteMinder. The issues for which there are fix instructions are the following:
    • CVE-2021-44228
    • CVE-2021-45046
    • CVE-2021-45105
    • CVE-2021-44832
  • The manner in which the mitigation instructions are presented makes it easy to miss a step. Be sure to review the instructions carefully and plan your update(s) based on the entire note.
  • The main fix involves downloading the appropriate log4j version from https://logging.apache.org/log4j/2.x/download.html
    • To streamline the mitigation process, we recommend using log4j 2.17.1 as outlined in the CVE-2021-44832 notes, although that issue has no direct impact to SiteMinder. Many organizations want the assurance that the vulnerability has been addressed appropriately regardless of the known impact.

Application

  • For Linux operating systems:
    • Check the file ownership on the copied jar files to ensure the owner is correct. For example, the jar files for the SiteMinder policy server may be owned by an application user such as smuser.
    • You will need to assign either user or group, read and execute permissions to the copied jar files. (This depends on the product that is being updated). Make sure the permissions are aligned with the other jars in the folder.

We have also written about other third-party vulnerabilities related to SiteMinder in the past; check out our post on the Apache Tomcat AJP Vulnerability.

As always, we hope that you have found this information useful. If you need any form of IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.

JOIN OUR NEWSLETTER

If you want to know our recent offer please subscribe to our newsletter