Hyland Connect

prabhav · ‎12-24-2021

Hi,

I would like to know whether any of the Alfresco Community edition components are affected by CVE-2021-44228

In alfresco-community-repo(8.423), I could see that Alfresco Core has log4j 1.2.17 in pom.xml. Also, Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1.

Please share some insights on this and also on other components like
- acs-community-packaging (7.0.0)
- Alfresco share (alfresco-share-parent-7.0.0)
- Alfresco Search Services (2.0.1)
- Alfresco Activemq
- Alfresco acs-community-ingress (alfresco-acs-nginx-3.1.1)

angelborroy · ‎01-13-2022

Alfresco is not affected by CVE-2021-4104, CVE-2019-17571 nor CVE-2021-4104. In order to be exposed to those vulnerabilities you need to enable explicitelly some Log4j services that are off when using ACS by default.

Hyland Developer Evangelist

View answer in original post

abhinavmishra14 · ‎12-26-2021

@prabhav Checkout this blog post:

https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-se...

Better insights may be available to enterprise licensed customers, The links given in the blog post takes to Support portal. If you have enterprise license, you can also open a support case for more info you need.

I hope Alfresco team will provide better insights for community users too sooner and shade some lights of confidence to community users as well.

~Abhinav
(ACSCE, AWS SAA, Azure Admin)

r_aurelian · ‎01-13-2022

Hello,

I have the same question and did not find a definite answer. I saw the blog post about the fact that Alfresco is not affected by CVE-2021-44832 and I guess that is because Alfresco uses Log4j 1.2.17, is that correct?

The problem is that Log4j 1.2.x, including 1.2.17 has another security vulnerability which also seems at least as serious as the most recent one: https://www.cvedetails.com/cve/CVE-2019-17571/

Can someone please mention if CVE-2019-17571 affects Alfresco and how? If not, then why (since og4j 1.2.17 is being used)? We would need more details so as to undersdtand the risk we are exposed to.

Thank you!

angelborroy · ‎01-13-2022

Alfresco is not affected by CVE-2021-4104, CVE-2019-17571 nor CVE-2021-4104. In order to be exposed to those vulnerabilities you need to enable explicitelly some Log4j services that are off when using ACS by default.

Hyland Developer Evangelist

r_aurelian · ‎01-14-2022

Thank you for your reply!

prabhav · ‎01-17-2022

Hi @angelborroy ,
Same goes with the CVE-2021-44228? Because Alfresco repository uses mybatis-3.3.0 which has dependency on log4j-core 2.14.1. Also, please let me know if any of the components mentioned in the description are affected by CVE-2021-44228

prabhav · ‎02-21-2022

Hi @angelborroy , any update on this?

navaneethvg · ‎09-08-2023

We alfresco version 7.1.0.1 and checked ,even in that package also log4 1.x using.

Community - 5.2.0 - This version also comes with log4j version 1.x. shipped along with the product.

As this version of log4j is Marked as EOL, We wanted to know if alfresco has replaced shipping the 1.x version along with product

Hyland Connect

log4j vulnerability impact on Alfresco community edition

We alfresco version 7.1.0.1 and checked ,even in that package also log4 1.x using.

Community - 5.2.0 - This version also comes with log4j version 1.x. shipped along with the product.