Is Tridion Docs affected by the CVE-2021-44228 log4j vulnerability?
No version of Tridion Docs is using the affected versions of log4j:
With regards to XML Editors this is only affected from DITA-OT it is mostly also Log4J version 1 and is hence not affected.
For all other RWS products see - https://gateway.sdl.com/communityknowledge?articleName=000017712
Log4J RCE - CVE-2021-44228 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1.
It is not present in version 1 of log4j and is patched in 2.15.0.
• Upgrade log4j 2 to the latest version, specifically log4j-2.15.0-rc2 or newer.
• According to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
• Official Mitre CVE description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• Community sourced list of impacted applications and services: https://github.com/YfryTchsGD/Log4jAttackSurface
• CISA Alert: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
Some info about the Log4j vulnerability:
20211214 Status Update
Log4J vulnerability also known as Log4Shell or Log4Shock has been analyzed by the team. In short Tridion Docs is not affected by this vulnerability. Below the highlights of Java-based components in the Tridion Docs product suite.
20211215 Status Update
Log4J vulnerability - see https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228 , https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://www.lunasec.io/docs/blog/log4j-zero-day/ - also known as Log4Shell or Log4Shock has been analyzed by the team.
There are many public resources to navigate like https://nvd.nist.gov/vuln/detail/CVE-2021-44228 or https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228 Important is that technically only log4j-core-*.jar is vulnerable as it contains JndiLookup.class between version 2.0-beta9 (including) and 2.15.0 (excluding).
So false positives are files that state Log4J like
• IMPORTANT: Critical Apache Log4J2 CVE-2021-44228 Vulnerability (Log4Shell) holds links to all products, the Tridion Docs one is Log4j vulnerability impact on Tridion Docs 14 and other versions