Affected versions: none
Resolving versions: none
The log4j vulnerability CVE-2021-44228 is a serious threat to many services. There is however no known log4j vulnerability or exploit affecting Ibexa products or services. This includes Platform.sh as used by Ibexa Cloud, and Ibexa Personalization. If you are using custom code, particularly custom Java code, please review if you may be affected.
We recommend upgrading your software stack to be on the safe side. We have gathered the following upgrade recommendations from vendors:
- Upgrade Log4j to 2.16.0. NB: The previously released 2.15.0 turned out not to be sufficient.
Please see https://logging.apache.org/log4j/2.x/
- Upgrade Java JDK to 9 or newer, preferably a more recent LTS release.
- Upgrade Solr to 8.11.1.
Please see https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
- Upgrade Elasticsearch to 7.16.2 or 6.8.22. This is not important if you are using Java 9 or newer. (The previous 7.16.1 and 6.8.21 where using Log4j 2.15.0.)
Please see https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
eZ Platform v2.5: Upgrade the ezplatform-solr-search-engine package from v1.7 to v2, like this:
composer require --no-update ezsystems/ezplatform-solr-search-engine:~2.0
This introduces support for Solr 7 and 8 to eZ Platform v2.5, so after this you can upgrade Solr to 8.11.1 or later 8.x versions.
For more information on Platform.sh, please see https://platform.sh/blog/2021/platformsh-protects-from-apache-log4j/
If you cannot yet upgrade, these workarounds help mitigate the risk:
- If using Log4j 2.10 to 2.14.1 and it cannot be upgraded to 2.16.0, ensure
-Dlog4j2.formatMsgNoLookups=trueis configured in the startup scripts of the Java Virtual Machine.
- Alternatively, Log4j 2.10 to 2.14.1 users may set the
LOG4J_FORMAT_MSG_NO_LOOKUPS="true"environment variable to force this change.
- For Log4j releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/