Login/Register
  • Home
  • Community
  • Knowledge
  • Technical Docs
  • RWS Support Policy
  • Trados Studio Licensing Help
  • Login for Support
Back to Search Results

Log4j vulnerability impact on Tridion Sites 9.5 and other versions

000017709 |12/5/2022 9:29 PM
Scope/Environment
SDL Tridion Sites - all versions
Symptoms/Context
On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed.
This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE).
Because of the widespread use of Java and log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.

It is CVE-2021-44228 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1.
It is not present in version 1 of log4j and is patched in 2.15.0.

 
Resolution
Tridion Sites is not affected by this vulnerability.  

• Tridion Content Delivery does not use log4j core, it uses logback instead, which is not vulnerable to this attack.
We do include the log4j-api JAR in our services, but this is not the file that has the vulnerability.   Security scans may still flag the log4j-api due to the version.  To mitigate this, the log4j-api version in Content Delivery services can be safely updated to the most recent version (2.17 or later).
https://logging.apache.org/log4j/2.x/download.html

One exception is the Deployer service in SDL Web 8/8.1.   The log4j-core library is included but it not actually implemented.  This can be safely removed from Deployer services that have it present.  Security scans may also still pick up log4j-api due to its version though it is not vulnerable.  This jar file can also be updated to the most recent version (2.16 or later).
https://logging.apache.org/log4j/2.x/download.html

• Tridion Content Manager search (SOLR) does use log4j core, but it is a very old version (1.x) which is also not vulnerable.   The log4j 1.x implementation in Content Manager search does *not* use the JMS Appender and  thus the customization that can lead to a vulnerable position is not in place.
See KB article How to remediate a reported log4j vulnerability in the CM server Solr library?
https://logging.apache.org/log4j/2.x/log4j-appserver/index.html.
• DD4T/DXA – these do not include log4j 2 core by default.

For all other RWS products see: https://gateway.sdl.com/communityknowledge?articleName=000017712

However, customers should confirm that any custom web applications built against these frameworks do not use the affected libraries.
Root Cause
Log4j vulnerability affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1.
Reference
Also see KB articles 
For Tridion Sites 9.5 and Elasticsearch, what log4j remediation actions are advised?
WorldServer: How to address the Critical Apache Log4j Vulnerability in WorldServer 11.x
Is TMS affected by the CVE-2021-44228 log4j - security vulnerability?

Additional Resources
• Official Mitre CVE description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• Community sourced list of impacted applications and services: https://github.com/YfryTchsGD/Log4jAttackSurface
• CISA Alert: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
• LunaSec: https://www.lunasec.io/docs/blog/log4j-zero-day/
 
Send Article Feedback
RWS Machine Translation Translation Software Language Services Content Management
All Contents Copyright © RWS.
COPYRIGHT PRIVACY POLICY COOKIE POLICY TERMS AND CONDITIONS