Log4j vulnerability impact on Tridion Sites 9.5 and other versions
000017709|12/20/2021 11:34 AM
SDL Tridion Sites - all versions
On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
It is CVE-2021-44228 and affects version 2 of log4jbetween versions 2.0-beta-9 and 2.14.1. It is not present in version 1 of log4j and is patched in 2.15.0.
Tridion Sites is not affected by this vulnerability.
• Tridion Content Delivery does not use log4j core, it uses logback instead, which is not vulnerable to this attack. We do include the log4j-api JAR in our services, but this is not the file that has the vulnerability. Security scans may still flag the log4j-api due to the version. To mitigate this, the log4j-api version in Content Delivery services can be safely updated to the most recent version (2.17 or later). https://logging.apache.org/log4j/2.x/download.html
One exception is the Deployer service in SDL Web 8/8.1. The log4j-core library is included but it not actually implemented. This can be safely removed from Deployer services that have it present. Security scans may also still pick up log4j-api due to its version though it is not vulnerable. This jar file can also be updated to the most recent version (2.16 or later). https://logging.apache.org/log4j/2.x/download.html
• Tridion Content Manager search (SOLR) does use log4j core, but it is a very old version (1.x) which is also not vulnerable. The log4j 1.x implementation in Content Manager search does *not* use the JMS Appender and thus the customization that can lead to a vulnerable position is not in place. • It is safe to update the log4j version in the embedded Tomcat search component to the fixed version of 2.16 or later. The higher log4j versions are compatible with Tomcat versions 8.5 and higher - https://logging.apache.org/log4j/2.x/log4j-appserver/index.html. • DD4T/DXA – these do not include log4j 2 core by default.