Update: This guidance is superseded by new measures in the further Apache Log4j guidance post.
As communicated previously, the Hyland team has been working to resolve the security vulnerability caused by CVE-2021-44228 related to the Java-based utility Apache Log4j.
Following this investigation, we have been able to develop several measures to remove the vulnerability from Nuxeo software instances.
The recommendation will differ between our Cloud and Self-managed Instances.
Cloud Instances
If you are running a Cloud instance, we have already made the necessary changes and the vulnerability has been resolved.
Self-managed Instances
This is an overview of options available, please consult with your technical team or the Hyland/Nuxeo support teams for precise implementation steps.
Temporary Actions
We strongly recommend keeping your instance up to date with the latest relevant HotFix version.
However, as the HotFixes related to this issue are currently being released, the following methods can be applied immediately to resolve the vulnerability. They are applicable to LST 2021 and LTS 2019.
Configuration Change
Adding the "-Dlog4j2.formatMsgNoLookups=true" parameter to the JVM command will mitigate the issue on a given deployment. Specific instructions can be found here.
Marketplace Package
We have also released a freely available marketplace package which can be added to an instance to resolve the vulnerability. The package upgrades the log4j version to 2.16.0 where message lookup substitution is disabled by default (-Dlog4j2.formatMsgNoLookups=true).
Hotfixes
For LTS 2021
For the latest version of the platform LTS 2021, HF13 will be released in the coming days. This will resolve the issue and requires all the previous Hot Fixes to be installed.
For LTS 2019
For this version of the platform, we will shortly be releasing HotFix 56 tomorrow. This will resolve the issue and requires all the previous Hot Fixes to be installed.