CVE-2021-44228

cancel
Showing results for 
Search instead for 
Did you mean: 
maxodoble
Active Member

CVE-2021-44228

Hi,

is anybody aware of the consequences of this nasty log4j vulnerability for alfresco community versions?

a very quick look shows that log4j v 1.2.17 is used in alfresco community (repo and share), and not directly hit by CVE-2021-44228 (seems to be versions >2 only), but then the question arises why such an old (and  unsupported since 2015?) version of log4j is being used happily here in late 2021.

Any thoughts?

Thanks,

Max

 

3 Replies
Renestox2
Active Member

Re: CVE-2021-44228

Hi,

 

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

"applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower."

 

Does anybody now a quick fix to update Log4j ?

 

angelborroy
Alfresco Employee

Re: CVE-2021-44228

No impact has been determined for latest @alfresco releases!
Hyland Developer Evangelist
amanda_roberts
Established Member

Re: CVE-2021-44228

Hi @maxodoble -

You can also find a post here on the Hub about it: https://hub.alfresco.com/t5/alfresco-content-services-blog/apache-log4j-vulnerability-cve-2021-44228...

We'll also be providing extra updates as we get them from Hyland's security teams. 

Thanks,

Amanda

Community Manager for Hyland and Alfresco
Did someone's answer help you out? Remember to Accept Solution!