Apache Log4j vulnerability - CVE-2021-44228

cancel
Showing results for 
Search instead for 
Did you mean: 

Apache Log4j vulnerability - CVE-2021-44228

mromano
Alfresco Employee
2 10 18.8K

Hyland's security team is aware of the Apache Log4j vulnerability, and they are actively investigating whether any of Hyland's products or internal systems are vulnerable. The security of our products and systems are a top priority, and we appreciate your patience as we determine whether Hyland or its products are impacted. You can expect more updates to be shared here as we learn more.

 

UPDATE 2021-12-15: More information about this vulnerability now available here: https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-se...

10 Comments
mromano
Alfresco Employee

Hyland conducted an initial review of Alfresco and determined there is no impact by the Apache Log4j vulnerability: https://community.hyland.com/en/blog/posts/82098-apache-log4j-security-advisory#74224cdb-eec9-4dd4-b...

GerhardSA
Active Member

Good day,

Could the information linked to here https://hub.alfresco.com/t5/alfresco-content-services-blog/apache-log4j-vulnerability-cve-2021-44228... not be made available here?

abby
Customer

@mromano Not able to access the link that you have posted, can you please share the details here? Tried to sign up but the activation link goes to a page not found.

arasales
Member II

I can't get de information through the links that you posted. Please give us information, it is very important for my company.

ryotawatabe
Member II

accessdenied.png

I coud not login...

qchevalier
Customer

Hi,

On this link https://community.hyland.com/en/blog/posts/82098-apache-log4j-security-advisory#74224cdb-eec9-4dd4-b..., the Alfresco part redirects on this topic. In my comprehension they do not give information about alfresco products for this vulnerability.

There is the alfresco part on the link...

"Alfresco

Please review the latest update available on the Alfresco Hub."

niekheuvink
Member II

After the initial review as stated by "mromano": Hyland conducted an initial review of Alfresco and determined there is no impact by the Apache Log4j vulnerability.

Is there already more information available? Can we guarantee 100% no impact? And what about the new CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 

saidone
Active Member

@niekheuvink AFAIK Alfresco still rely on Log4j 1.x that according to Apache is susceptible only to:

CVE-2021-4104

and is relevant only if "the attacker has write access to the Log4j configuration".

clemenspape
Partner

Alfresco Capture aka Ephesoft Transact: 
https://ephesoft.com/docs/products/transact/announcements/product-announcements/log4j-vulnerability/ 

Transact On-Premise users versions 4.5-2020.1.06:

Please read the following instructions before applying the patch. 

DCerv
Alfresco Employee