Symptom
This bug has been filed to evaluate Cisco Prime Infrastructure against the following Apache Log4j vulnerabilities which include:
CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
CVE-2021-45046 - Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
CVE-2021-44832 - Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
CVE-2021-4104 - Apache Log4j 1.2 JMSAppender vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j 1.x configuration
Cisco has analyzed each of these vulnerabilities and concluded that the product is not impacted.
This defect has been used to upgrade the Cisco Prime Infrastructure Apache Log4j library to 2.17.0 for security hardening purposes.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Further Problem Description
Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue, if applicable, will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
