A number of vulnerabilities have recently been discovered that impact multiple versions of the Apache Log4j 2 utility:
|Vulnerability||Severity Rating||CVSS Score||Affected Versions||Fixed Version||Other Information|
|CVE-2021-44228||Critical||10||2.0 to 2.14.1||2.15.0||Disclosed publicly via the project’s GitHub on December 9, 2021|
|CVE-2021-45046||Critical||9||2.0 to 2.15.0 (excluding 2.12.2)||2.16.0|
|CVE-2021-45105||High||7.5||2.0 to 2.16.0||2.17.0|
|CVE-2021-44832||Medium||6.6||2.0 to 2.17.0 (excluding 2.3.2 and 2.12.4)||2.17.1|
Customers should check the CVEs for the latest vulnerable versions.
New releases of Autonomous Identity that include Log4j 2.17 have been made available on December 22nd, 2021.
The only ForgeRock product that utilizes Log4j is Autonomous Identity, which now has patched releases that remedy the three Critical and High vulnerabilities. None of the other currently supported ForgeRock products, including Identity Cloud, AM, DS, IDM, IG and Agents, are affected by these vulnerabilities. ForgeRock continues to actively investigate any other possible uses of this library but none are known at this time.
The SecurID authentication module uses the Log4j library (which is supplied by RSA but no longer supported). You should not use this module unless RSA provides a fixed version of this library. See RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228) for the latest information from RSA.
Customers are responsible for checking for any use of Log4j in their servlet/application container and any custom code (including Marketplace contributions) that they have deployed.
All currently supported versions of the ForgeRock Identity Platform (AM, DS, IDM, IG & AM Agents) are not vulnerable to Log4j as ForgeRock does not ship with this library. Review Checking your product versions are supported for details of currently supported versions.
Older, end of life, versions of the ForgeRock Identity Platform could be vulnerable. However, due to the age and lack of vendor support for libraries, they cannot be patched to ensure they are no longer vulnerable to the Log4j attacks.
|Autonomous Identity||2020.10, 2021.3, 2021.8||Yes||
The newest releases address the following vulnerabilities: CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105
Autonomous Identity does not use a JDBC appender for logging, which means it is not affected by CVE-2021-44832.
Autonomous Identity customers should update to the latest patch release (see release notes in the table above).
For standard installations of the ForgeRock Identity Platform (AM, DS, IDM, IG and Agents), you should check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used. The servlet/application container you install for deploying AM needs to be checked to make sure it is not vulnerable. The default recommended container of Apache Tomcat is not vulnerable as it does not use Log4j.
For custom installations of the ForgeRock Identity Platform that include components that utilize either log4j or log4j-api libraries, you should:
- Contact the component vendor for additional information.
- Check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used.
- Follow the advice from Apache by upgrading your Log4j version(s) to 2.17.1 or later, or by implementing one of their mitigations as outlined here: Apache Log4j Security Vulnerabilities.
For older ForgeRock products that are no longer supported, we strongly recommend you upgrade to a newer, supported version.
The vulnerabilities in this advisory do not apply to Log4j 1 versions. Per Apache Log4j Security Vulnerabilities:
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
However, a new CVE-2021-4104 vulnerability has been reported for Log4j 1.2, which is an issue if you have JMSAppender configured. You should monitor this CVE for updates.
The following table tracks changes to the advisory:
|January 5, 2022||Updated to clarify that CVE-2021-44832 does not affect Autonomous Identity|
|January 4, 2022||Updated to note new vulnerability (CVE-2021-44832) and advice to upgrade to Log4j version 2.17.1|
|December 22, 2021||Added new fixed versions to address CVE-2021-45105 & CVE-2021-45046 for Autonomous Identity; added section for Log4j1 to clarify its status|
|December 20, 2021||Updated to note new vulnerability (CVE-2021-45105) and advice to upgrade to Log4j version 2.17.0|
|December 16, 2021||Add fixed versions and release notes for Autonomous Identity|
|December 15, 2021||Updated to note new vulnerability (CVE-2021-45046) and advice to upgrade to Log4j version 2.16.0|
|December 14, 2021||Updated to provide clarity around supported versions and added recommendation for older unsupported versions|
|December 13, 2021||Updated to note the SecurID authentication module and its use of the Log4j library; updated the Recommendations section to be more specific|
|December 10, 2021||Initial release|