Hi,
is anybody aware of the consequences of this nasty log4j vulnerability for alfresco community versions?
a very quick look shows that log4j v 1.2.17 is used in alfresco community (repo and share), and not directly hit by CVE-2021-44228 (seems to be versions >2 only), but then the question arises why such an old (and unsupported since 2015?) version of log4j is being used happily here in late 2021.
Any thoughts?
Thanks,
Max
Hi,
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
"applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower."
Does anybody now a quick fix to update Log4j ?
Hi @maxodoble -
You can also find a post here on the Hub about it: https://hub.alfresco.com/t5/alfresco-content-services-blog/apache-log4j-vulnerability-cve-2021-44228...
We'll also be providing extra updates as we get them from Hyland's security teams.
Thanks,
Amanda
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.