Help

Upgrade ACS 7.0.0 to 7.0.1 has LOG4j vulnerabilities

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
michaelzietlow
Active Member II
‎14 Feb 2022 6:51 PM

Upgrade ACS 7.0.0 to 7.0.1 has LOG4j vulnerabilities

Hello, I have a stand alone install of Alfresco Community Edition 7.0.0 I performed via ansible and noticed ~webapps/_vti_bin.war has log4j 1.2.17 inside it which might be vulnerable (https://nvd.nist.gov/vuln/detail/CVE-2019-17571).  

 I'f _vti_bin.war was been updated in 7.0.1 I'd like to upgrade but the upgrade path reads like I need to do a fresh ACS7.0.1 install and transfer my 7.0.0 content store to it?    Am I reading this wrong?

0 Kudos
Reply
1 Reply
michaelzietlow
Active Member II
‎27 Apr 2022 9:10 PM

ACS7.0.0-7.1.1 has Multiple Apache Log4j Vulnerabilities and should be patched!

**UPDATE**
  I upgraded to the latest Community 7.1.1 zip and I ran a Tenable scan agains my content-services-7.1.0.1.  It still reports the following log4j vulnerability.

  • Synopsis

    The logging library running inside ~/web-server/webapps/_vti_bin.war is version 1.2.17 from 2016. It has multiple log4j vulnerabilities that should be patched.

  • Description

    According to its self-reported version number(1.2.17), the installation of Apache Log4j in ACS 7.1.x is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including :
    ...
    ...
    ~EDITED~we dont need to describe how to compromise this version log4j here~EDITED~

     

0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.