Log4j2 RCE Vulnerability for CVE-2021-44228

shinsuke · December 11, 2021, 8:24am

A security issue was recently disclosed (CVE-2021-44228) affecting the broadly-used Apache Log4j library. Fess includes versions of Log4j, which are referenced in this CVE. An upgrade is highly recommended for users of Fess 13.11 to 13.15.

Affected Versions:
Fess 11.0.0 - 13.15.1

Solutions and Mitigations:
Users may upgrade to Fess 13.15.2, or set the -Dlog4j2.formatMsgNoLookups=true as the JVM option.

Additional Supports:
Please get in touch with commercial support if you need it.

Other Resources:

shinsuke · December 13, 2021, 12:15pm

From Log4j Security Vulnerabilities:

Other Solutions:
Users may remove JndiLookup.class from log4j-core-*.jar:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

shinsuke · December 16, 2021, 1:52am

Update: We released Fess 13.15.3 for the second Log4j vulnerability CVE-2021-45046.

Solutions:
Users may upgrade to Fess 13.15.3, or remove JndiLookup.class from log4j-core-*.jar

shinsuke · December 18, 2021, 1:15pm

Update: Log4j 2.17.0 was released for CVE-2021-45105

Fess does not use Context Lookups in the logging configuration.