Log4J Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerabilities Update - December, 17 2021

Impacted products: IdentityNow, IdentityIQ, File Access Manager, and IdentityAI

SailPoint has addressed the Log4J RCE and DoS vulnerabilities (CVE-2021-44228, CVE-2021-45046) by upgrading to Log4J 2.16.0.IdentityIQ and File Access Manager customers can refer to latest IdentityIQ blog post and File Access Manager blog post, respectively, for instructions on how to deploy the latest releases. IdentityIQ harvester is still being upgraded, and we expect the upgrade to be deployed later today. We will issue further communications once the updated IdentityIQ harvester has been deployed.For IdentityNow and IdentityAI customers, Cloud Connector Gateway (CCG) version 658 has been automatically deployed . For customers who have not received the automatic update, SailPoint customer service is reaching out in order to upgrade those instances. The CCG version is visible to customer admins in the IdentityNow UI.

SailPoint has deployed the latest release of IdentityIQ harvester for IdentityAI which addresses the Log4J Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities (CVE-2021-44228, CVE-2021-45046) by upgrading to Log4J 2.16.0. No action is needed .

Hello Jordan,

It appears that while your latest patch has addressed CVE-2021-44228 and CVE-2021-45046 by upgrading to log4j 2.16.0, that upgrade still leaves us vulnerable to CVE-2021-45105 (High). Can we expect to see an additional patch to bring us up to log4j 2.17.0 or is there a reason why your latest patch didn’t bring us up to 2.17.0 (perhaps an issue was identified during testing to address 44228 and 45046)?


The latest official information from SailPoint regarding this topic can be found in the Community Announcements Blog on Compass at Log4J Denial of Service (DoS) Vulnerability (CVE-2021-45105) update - December 20, 2021 - Compass .

The security fix containing 2.16.0 was relatively far down the path of our release process when CVE-2021-45105 was announced. Given the analysis of impact on IdentityIQ and File Access Manager customers for CVE-2021-45105, we decided to not re-start that process since customer demand to release fixes that remediate the much higher and more applicable CVE-2021-44228 was understandably high.