LiveContent S1000D v 5.8, 5. 9, and 5.10 do use log4j v2.12 or v2.11.1. Earlier LiveContent S1000D versions are not affected.
LiveContent S1000D v5.11 version release includes log4j v2.15.
See Mitigation Steps section for Risk Mitigation.
MARCH 8, 2022 Update: Patches for LiveContent S1000D version 5.8, 5.9, 5.10 and 5.11 are available. Open a new case to request the patches for hotfix CRQ-28092.
If you do not wish to install the patches, the information below will help mitigate risk.
What needs to be mitigated?
- LiveContent/lib/log4j-core-*.jar file on the publish server.
- LiveContent/cdimage.zip or cdimage.tar file on the publish server.
- Fielded IETMs
- After cdimage.zip or cdimage.tar has been recreated either republish IETM and redistribute OR run LiveContent collectionpub and redistribute.
Mitigation Steps:
To mitigate the risk you will need to follow this procedure as provided by Apache’s guidance:
Remove the JndiLookup class from the classpath. For example on Linux:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CVE-2021-45105 affects nonstandard logging configurations such as "$${ctx:loginId}" context lookups. LiveContent S1000D does not use these context lookups out of the box. In order to use context lookups, Apache has recommended some safer alternatives in their mitigation strategy. See Apache's website for more information. |
