Impacted Products: IdentityIQ, File Access Manager, and IdentityNow Cloud Connector Gateway deployments where customers have modified out of the box log4j2 configuration to use a JDBC Appender with a data source referencing a JNDI URI.
SailPoint has analyzed the recently-identified Remote Code Execution (RCE) vulnerability (CVE-2021-44832) and has determined that since SailPoint products, other than instances of IdentityIQ, File Access Manager, and IdentityNow Cloud Connector Gateway where the customer has made certain modifications to the default Log4j configuration, do not use the JDBC Appender and are not impacted by this vulnerability.
IdentityIQ, File Access Manager, and IdentityNow Cloud Connector Gateway do not use the JDBC Appender out of the box, however customers have the ability to modify the out of the box appenders in log4j2.properties which might render them susceptible to this vulnerability. As documented in the CVE and guidance from the Apache Logging Services Project, JNDI URIs should not be used in the data source configuration for a JDBC Appender as a mitigation for this vulnerability.
SailPoint plans to upgrade IdentityIQ, File Access Manager, and IdentityNow Cloud Connector Gateway to Log4J 2.17.1 in January 2022.
