log4j vulnerability impact on Alfresco community edition

cancel
Showing results for 
Search instead for 
Did you mean: 
prabhav
Member II

log4j vulnerability impact on Alfresco community edition

Hi,

I would like to know whether any of the Alfresco Community edition components are affected by CVE-2021-44228

In alfresco-community-repo(8.423), I could see that Alfresco Core has log4j 1.2.17 in pom.xml. Also, Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1.

Please share some insights on this and also on other components like
- acs-community-packaging (7.0.0)
- Alfresco share (alfresco-share-parent-7.0.0)
- Alfresco Search Services (2.0.1)
- Alfresco Activemq
- Alfresco acs-community-ingress (alfresco-acs-nginx-3.1.1)

5 Replies
abhinavmishra14
Advanced

Re: log4j vulnerability impact on Alfresco community edition

@prabhav Checkout this blog post:

https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-se... 

Better insights may be available to enterprise licensed customers, The links given in the blog post takes to Support portal. If you have enterprise license, you can also open a support case for more info you need.

I hope Alfresco team will provide better insights for community users too sooner and shade some lights of confidence to community users as well.

 

 

 

~Abhinav
(ACSCE, AWS SAA, GAIQ)
r_aurelian
Active Member II

Re: log4j vulnerability impact on Alfresco community edition

Hello,

I have the same question and did not find a definite answer. I saw the blog post about the fact that Alfresco is not affected by CVE-2021-44832 and I guess that is because Alfresco uses Log4j 1.2.17, is that correct?

The problem is that Log4j 1.2.x, including 1.2.17 has another security vulnerability which also seems at least as serious as the most recent one: https://www.cvedetails.com/cve/CVE-2019-17571/

Can someone please mention if CVE-2019-17571 affects Alfresco and how? If not, then why (since og4j 1.2.17 is being used)? We would need more details so as to undersdtand the risk we are exposed to.

Thank you!

angelborroy
Alfresco Employee

Re: log4j vulnerability impact on Alfresco community edition

Alfresco is not affected by CVE-2021-4104, CVE-2019-17571 nor CVE-2021-4104. In order to be exposed to those vulnerabilities you need to enable explicitelly some Log4j services that are off when using ACS by default.

Hyland Developer Evangelist
r_aurelian
Active Member II

Re: log4j vulnerability impact on Alfresco community edition

Thank you for your reply!

prabhav
Member II

Re: log4j vulnerability impact on Alfresco community edition

Hi @angelborroy ,
Same goes with the CVE-2021-44228? Because Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1. Also, please let me know if any of the components mentioned in the description are affected by CVE-2021-44228