log4j remote code execution

Issue date: 13-12-2021
Affects versions: 14.7, 14.6, 13.4, 12.6

Security Issue ID

SECURITY-281

Affected Product Version(s)

14.7.0, 13.4.11, 12.6.19 and previous releases.

Severity

high

Description

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

brXM versions 12.6.20, 13.4.12, and 14.7.1 have been updated to use log4j 2.15.0, which closes this vulnerability by disabling lookups in log messages by default.

Instructions

Customers are recommended to upgrade to the latest brXM version available.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

log4j remote code execution