DOS vulnerability in log4j < 2.17.0
Issue date: 20-12-2021Affects versions: 14.7, 13.4, 12.6
Security Issue ID
SECURITY-287
Affected Product Version(s)
14.7.2, 13.4.13, 12.6.22 and previous releases.
Severity
medium
Description
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
The default logging configuration provided by Bloomreach does not use a 'ctx' pattern that would trigger this vulnerability, so we believe the actual risk to customers is low. brXM versions 12.6.23, 13.4.14, and 14.7.3 have been updated to use log4j 2.17.0, which closes this vulnerability.
Instructions
Customers are recommended to upgrade to the latest brXM version available.