Okta On-Prem MFA Agent CVE-2021-45046
Description
Apache Log4j2 2.15.0, as used in Okta On-Prem MFA Agent 1.4.6 (formerly Okta RSA SecurID Agent), contained an incomplete fix for CVE-2021-44228, which could allow attackers under certain conditions to craft malicious input data, resulting in a denial of service (DOS) attack. The new version includes Log4j 2.16.0 which fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Affected product and versions
Okta On-Prem MFA Agent (formerly Okta RSA SecurID Agent) 1.4.6
Resolution
The vulnerability is fixed in Okta On-Prem MFA Agent (formerly Okta RSA SecurID Agent) version 1.4.7. To remediate this vulnerability, upgrade Okta On-Prem MFA Agent.
References
How to perform an upgrade of the RADIUS Server Agent and the On-Prem MFA Agent