topic Re: log4j vulnerability impact on Alfresco community edition in Alfresco Forum

log4j vulnerability impact on Alfresco community edition

prabhav — Fri, 24 Dec 2021 08:33:31 GMT

Hi,

I would like to know whether any of the Alfresco Community edition components are affected by CVE-2021-44228

In alfresco-community-repo(8.423), I could see that Alfresco Core has log4j 1.2.17 in pom.xml. Also, Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1.

Please share some insights on this and also on other components like
- acs-community-packaging (7.0.0)
- Alfresco share (alfresco-share-parent-7.0.0)
- Alfresco Search Services (2.0.1)
- Alfresco Activemq
- Alfresco acs-community-ingress (alfresco-acs-nginx-3.1.1)

Re: log4j vulnerability impact on Alfresco community edition

abhinavmishra14 — Sun, 26 Dec 2021 15:53:34 GMT

@prabhav Checkout this blog post:

https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-security-advisory/ba-p/310717

Better insights may be available to enterprise licensed customers, The links given in the blog post takes to Support portal. If you have enterprise license, you can also open a support case for more info you need.

I hope Alfresco team will provide better insights for community users too sooner and shade some lights of confidence to community users as well.

Re: log4j vulnerability impact on Alfresco community edition

r_aurelian — Thu, 13 Jan 2022 14:48:40 GMT

Hello,

I have the same question and did not find a definite answer. I saw the blog post about the fact that Alfresco is not affected by CVE-2021-44832 and I guess that is because Alfresco uses Log4j 1.2.17, is that correct?

The problem is that Log4j 1.2.x, including 1.2.17 has another security vulnerability which also seems at least as serious as the most recent one: https://www.cvedetails.com/cve/CVE-2019-17571/

Can someone please mention if CVE-2019-17571 affects Alfresco and how? If not, then why (since og4j 1.2.17 is being used)? We would need more details so as to undersdtand the risk we are exposed to.

Thank you!

Re: log4j vulnerability impact on Alfresco community edition

angelborroy — Thu, 13 Jan 2022 15:01:44 GMT

Alfresco is not affected by CVE-2021-4104, CVE-2019-17571 nor CVE-2021-4104. In order to be exposed to those vulnerabilities you need to enable explicitelly some Log4j services that are off when using ACS by default.

Re: log4j vulnerability impact on Alfresco community edition

r_aurelian — Fri, 14 Jan 2022 13:36:47 GMT

Thank you for your reply!

Re: log4j vulnerability impact on Alfresco community edition

prabhav — Mon, 17 Jan 2022 10:48:47 GMT

Hi @angelborroy ,
Same goes with the CVE-2021-44228? Because Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1. Also, please let me know if any of the components mentioned in the description are affected by CVE-2021-44228

Re: log4j vulnerability impact on Alfresco community edition

prabhav — Mon, 21 Feb 2022 09:56:55 GMT

Hi @angelborroy , any update on this?

Re: log4j vulnerability impact on Alfresco community edition

navaneethvg — Fri, 08 Sep 2023 09:43:33 GMT

We alfresco version 7.1.0.1 and checked ,even in that package also log4 1.x using.

Community - 5.2.0 - This version also comes with log4j version 1.x. shipped along with the product.

As this version of log4j is Marked as EOL, We wanted to know if alfresco has replaced shipping the 1.x version along with product