CVE-2021-44228
Cloud CMS API Container
Cloud CMS API docker containers prior to version 3.2.71 ship with a version of Log4j2 that contains the vulnerability identified on December 9, 2021 as CVE-2021-44228.
The Cloud CMS API shipped with recent versions packages with Log4j2 version 2.10.1 and runs on JDK 11.0.2. While the Cloud CMS product does not use Log4j lookups and does not use JNDI, we still recommend taking mitigation steps for this vulnerability.
For purposes of mitigating CVE-2021-44228, you should consider that any version of Log4j2 prior to 2.15.0 as vulnerable to the exploit.
Our recommendation is to upgrade your on-premise Cloud CMS installation to version 3.2.71.
This version is available here: https://gitana.io/release.html?name=3.2.71
Ahead of doing that, any currently operating Cloud CMS installations on versions prior to 3.2.71 should do the following:
- Define the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
This is typically done within your Dockerfile. Be sure to rebuild your Docker environment ahead of redeploying to make sure that your changes are picked up.
Explicitly disabling this will have no significant impact on the Cloud CMS application.
Java Driver
The Cloud CMS Java Driver (https://gitana.io/java.html) has Log4j2 as a dependency within its Maven build file.
We recommend updating your Java Driver to version 1.0.42 (at a minimum) to ensure that you're picking up a version of Log4j2 that has been hardened against CVE-2021-44228. Version 1.0.42 bundles with Log4j2 2.16.0. There are no additional steps required to harden Log4j2 after updating.
If you're running on a version of the driver prior to 1.0.42, you should do the following:
- Define the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS=trueor - Startup your JVM with
-Dlog4j2.formatMsgNoLookups=true
Please visit the official information site listed below for more information.
More Information
For more information on CVE-2021-44228, please see: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance