Broadcom

Broadcom determined as of Monday that some or all versions of its CA Advanced Authentication, Symantec SiteMinder unified access management and VIP Authentication Hub products are affected by the Log4j vulnerability. The San Jose, Calif.-based company also said its Symantec Endpoint Protection Manager offering may be affected even though no impact has yet been demonstrated.

SiteMinder customers are urged to either configure the offering to continue using the existing Log4j versions in a secure manner or upgrade the existing Log4j version in their environment to Log4j 2.15.0. Upgrading to 2.15.0 will help reduce the likelihood of vulnerability scanning tools continuing to identify the older Log4j instances.

The vulnerable feature in the remaining Broadcom or Symantec products can be disable by setting the system environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to ”true” and restarting the impacted components or services, according to Broadcom.