https://connect.hyland.com/t5/alfresco-forum/upgrade-acs-7-0-0-to-7-0-1-has-log4j-vulnerabilities/m-p/130187#M35199 <P>Hello, I have a stand alone install of Alfresco Community Edition 7.0.0 I performed via ansible and noticed ~webapps/_vti_bin.war has log4j 1.2.17 inside it which might be vulnerable (<A href="https://nvd.nist.gov/vuln/detail/CVE-2019-17571" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2019-17571</A>).&nbsp;&nbsp;</P><P>&nbsp;I'f _vti_bin.war was been updated in 7.0.1 I'd like to upgrade but the upgrade path reads like I need to do a fresh ACS7.0.1 install and transfer my 7.0.0 content store to it?&nbsp;&nbsp;&nbsp; Am I reading this wrong?</P> Mon, 14 Feb 2022 18:51:57 GMT michaelzietlow 2022-02-14T18:51:57Z https://connect.hyland.com/t5/alfresco-forum/upgrade-acs-7-0-0-to-7-0-1-has-log4j-vulnerabilities/m-p/130187#M35199 <P>Hello, I have a stand alone install of Alfresco Community Edition 7.0.0 I performed via ansible and noticed ~webapps/_vti_bin.war has log4j 1.2.17 inside it which might be vulnerable (<A href="https://nvd.nist.gov/vuln/detail/CVE-2019-17571" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2019-17571</A>).&nbsp;&nbsp;</P><P>&nbsp;I'f _vti_bin.war was been updated in 7.0.1 I'd like to upgrade but the upgrade path reads like I need to do a fresh ACS7.0.1 install and transfer my 7.0.0 content store to it?&nbsp;&nbsp;&nbsp; Am I reading this wrong?</P> Mon, 14 Feb 2022 18:51:57 GMT https://connect.hyland.com/t5/alfresco-forum/upgrade-acs-7-0-0-to-7-0-1-has-log4j-vulnerabilities/m-p/130187#M35199 michaelzietlow 2022-02-14T18:51:57Z https://connect.hyland.com/t5/alfresco-forum/upgrade-acs-7-0-0-to-7-0-1-has-log4j-vulnerabilities/m-p/130188#M35200 <DIV><P>**UPDATE**<BR />&nbsp; I upgraded to the latest Community 7.1.1 zip and I ran a Tenable scan agains my content-services-7.1.0.1.&nbsp; It still reports the following log4j vulnerability.</P><UL><LI><H3 id="toc-hId-1477682813">Synopsis</H3><DIV class=""><P>The logging library running inside ~/web-server/webapps/_vti_bin.war is version&nbsp;1.2.17 from 2016. It has multiple log4j vulnerabilities that should be patched.</P></DIV></LI></UL></DIV><DIV><UL><LI><H3 id="toc-hId--1074474148">Description</H3><DIV class=""><P>According to its self-reported version number(1.2.17), the installation of Apache Log4j in ACS 7.1.x is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including :<BR />...<BR />...<BR />~EDITED~we dont need to describe how to compromise this version log4j here~EDITED~</P></DIV></LI></UL></DIV> Wed, 27 Apr 2022 20:10:13 GMT https://connect.hyland.com/t5/alfresco-forum/upgrade-acs-7-0-0-to-7-0-1-has-log4j-vulnerabilities/m-p/130188#M35200 michaelzietlow 2022-04-27T20:10:13Z