log4j vulnerability impact on Alfresco community edition

cancel
Showing results for 
Search instead for 
Did you mean: 
prabhav
Active Member

log4j vulnerability impact on Alfresco community edition

Jump to solution

Hi,

I would like to know whether any of the Alfresco Community edition components are affected by CVE-2021-44228

In alfresco-community-repo(8.423), I could see that Alfresco Core has log4j 1.2.17 in pom.xml. Also, Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1.

Please share some insights on this and also on other components like
- acs-community-packaging (7.0.0)
- Alfresco share (alfresco-share-parent-7.0.0)
- Alfresco Search Services (2.0.1)
- Alfresco Activemq
- Alfresco acs-community-ingress (alfresco-acs-nginx-3.1.1)

1 Solution

Accepted Solutions
angelborroy
Alfresco Employee

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

Alfresco is not affected by CVE-2021-4104, CVE-2019-17571 nor CVE-2021-4104. In order to be exposed to those vulnerabilities you need to enable explicitelly some Log4j services that are off when using ACS by default.

Hyland Developer Evangelist

View solution in original post

7 Replies
abhinavmishra14
Advanced

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

@prabhav Checkout this blog post:

https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-se... 

Better insights may be available to enterprise licensed customers, The links given in the blog post takes to Support portal. If you have enterprise license, you can also open a support case for more info you need.

I hope Alfresco team will provide better insights for community users too sooner and shade some lights of confidence to community users as well.

 

 

 

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
r_aurelian
Active Member II

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

Hello,

I have the same question and did not find a definite answer. I saw the blog post about the fact that Alfresco is not affected by CVE-2021-44832 and I guess that is because Alfresco uses Log4j 1.2.17, is that correct?

The problem is that Log4j 1.2.x, including 1.2.17 has another security vulnerability which also seems at least as serious as the most recent one: https://www.cvedetails.com/cve/CVE-2019-17571/

Can someone please mention if CVE-2019-17571 affects Alfresco and how? If not, then why (since og4j 1.2.17 is being used)? We would need more details so as to undersdtand the risk we are exposed to.

Thank you!

angelborroy
Alfresco Employee

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

Alfresco is not affected by CVE-2021-4104, CVE-2019-17571 nor CVE-2021-4104. In order to be exposed to those vulnerabilities you need to enable explicitelly some Log4j services that are off when using ACS by default.

Hyland Developer Evangelist
r_aurelian
Active Member II

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

Thank you for your reply!

prabhav
Active Member

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

Hi @angelborroy ,
Same goes with the CVE-2021-44228? Because Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1. Also, please let me know if any of the components mentioned in the description are affected by CVE-2021-44228

prabhav
Active Member

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

Hi @angelborroy , any update on this?

navaneethvg
Member II

Re: log4j vulnerability impact on Alfresco community edition

Jump to solution

We alfresco version  7.1.0.1 and checked ,even in that package also log4 1.x using.

Community - 5.2.0 - This version also comes with log4j version 1.x. shipped along with the product.

As this version of log4j is Marked as EOL, We wanted to know if alfresco has replaced shipping the 1.x version along with product