Contenta v5.8.1 and Contenta S1000D v5.10 and all previous versions only use log4j v2.x when Solr Search Service is installed.
Contenta and Contenta S1000D v5.11 version release include log4j v2.15.
MARCH 8, 2022 UPDATE: Patches are available for version 5.11. Please open a support case at gateway.sdl.com to request hotfix for CRQ-28092.
If you do not wish to install the patches, the information below will help mitigate risk.
What files need to be mitigated?
- Do a search from CONTENTA_HOME for log4j-core-2.*.jar to locate the files to mitigate
- For locations under Solr please see the NOTE below
Mitigation Steps:
To mitigate the risk you will need to follow this procedure as provided by Apache’s guidance:
Remove the JndiLookup class from the classpath; for example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
NOTE: Customers using Solr Search Service with Contenta and Contenta S1000D v5.11 should reference Solr for mitigation options.
CVE-2021-45105 affects nonstandard logging configurations such as "$${ctx:loginId}" context lookups. Contenta and Contenta S1000D do not use these context lookups out of the box. In order to use context lookups, Apache has recommended some safer alternatives in their mitigation strategy. See Apache's website for more information.