Security advisory: CVE-2021-44228

Log4j vulnerability
Publication date:
15.12.21, 16:12

Severity:
Affected versions: none
Resolving versions: none

The log4j vulnerability CVE-2021-44228 is a serious threat to many services. There is however no known log4j vulnerability or exploit affecting Ibexa products or services. This includes Platform.sh as used by Ibexa Cloud, and Ibexa Personalization. If you are using custom code, particularly custom Java code, please review if you may be affected.

Upgrades

We recommend upgrading your software stack to be on the safe side. We have gathered the following upgrade recommendations from vendors:

eZ Platform v2.5: Upgrade the ezplatform-solr-search-engine package from v1.7 to v2, like this:
composer require --no-update ezsystems/ezplatform-solr-search-engine:~2.0
This introduces support for Solr 7 and 8 to eZ Platform v2.5, so after this you can upgrade Solr to 8.11.1 or later 8.x versions.

For more information on Platform.sh, please see https://platform.sh/blog/2021/platformsh-protects-from-apache-log4j/

Workarounds

If you cannot yet upgrade, these workarounds help mitigate the risk:

  • If using Log4j 2.10 to 2.14.1 and it cannot be upgraded to 2.16.0, ensure -Dlog4j2.formatMsgNoLookups=true is configured in the startup scripts of the Java Virtual Machine.
  • Alternatively, Log4j 2.10 to 2.14.1 users may set the LOG4J_FORMAT_MSG_NO_LOOKUPS="true" environment variable to force this change.
  • For Log4j releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories