cancel
Showing results for 
Search instead for 
Did you mean: 

Upgrade ACS 7.0.0 to 7.0.1 has LOG4j vulnerabilities

michaelzietlow
Confirmed Champ
Confirmed Champ

Hello, I have a stand alone install of Alfresco Community Edition 7.0.0 I performed via ansible and noticed ~webapps/_vti_bin.war has log4j 1.2.17 inside it which might be vulnerable (https://nvd.nist.gov/vuln/detail/CVE-2019-17571).  

 I'f _vti_bin.war was been updated in 7.0.1 I'd like to upgrade but the upgrade path reads like I need to do a fresh ACS7.0.1 install and transfer my 7.0.0 content store to it?    Am I reading this wrong?

1 REPLY 1

michaelzietlow
Confirmed Champ
Confirmed Champ

**UPDATE**
  I upgraded to the latest Community 7.1.1 zip and I ran a Tenable scan agains my content-services-7.1.0.1.  It still reports the following log4j vulnerability.

  • Synopsis

    The logging library running inside ~/web-server/webapps/_vti_bin.war is version 1.2.17 from 2016. It has multiple log4j vulnerabilities that should be patched.

  • Description

    According to its self-reported version number(1.2.17), the installation of Apache Log4j in ACS 7.1.x is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including :
    ...
    ...
    ~EDITED~we dont need to describe how to compromise this version log4j here~EDITED~