log4j remote code execution

Issue date: 13-12-2021
Affects versions: 14.7, 14.6, 13.4, 12.6

Security Issue ID

SECURITY-281

Affected Product Version(s)

14.7.0, 13.4.11, 12.6.19 and previous releases.

Severity

high

Description

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

brXM versions 12.6.20, 13.4.12, and 14.7.1 have been updated to use log4j 2.15.0, which closes this vulnerability by disabling lookups in log messages by default.

Instructions

Customers are recommended to upgrade to the latest brXM version available.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

log4j remote code execution