@prabhav Checkout this blog post:

https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-se... 

Better insights may be available to enterprise licensed customers, The links given in the blog post takes to Support portal. If you have enterprise license, you can also open a support case for more info you need.

I hope Alfresco team will provide better insights for community users too sooner and shade some lights of confidence to community users as well.

Hello,

I have the same question and did not find a definite answer. I saw the blog post about the fact that Alfresco is not affected by CVE-2021-44832 and I guess that is because Alfresco uses Log4j 1.2.17, is that correct?

The problem is that Log4j 1.2.x, including 1.2.17 has another security vulnerability which also seems at least as serious as the most recent one: https://www.cvedetails.com/cve/CVE-2019-17571/

Can someone please mention if CVE-2019-17571 affects Alfresco and how? If not, then why (since og4j 1.2.17 is being used)? We would need more details so as to undersdtand the risk we are exposed to.

Thank you!

Thank you for your reply!

Hi @angelborroy ,
Same goes with the CVE-2021-44228? Because Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1. Also, please let me know if any of the components mentioned in the description are affected by CVE-2021-44228

Hi @angelborroy , any update on this?

We alfresco version  7.1.0.1 and checked ,even in that package also log4 1.x using.

Community - 5.2.0 - This version also comes with log4j version 1.x. shipped along with the product.

As this version of log4j is Marked as EOL, We wanted to know if alfresco has replaced shipping the 1.x version along with product