Two further issues have been identified with the Apache Log4J utility which impacts Nuxeo instances: CVE-2021-45046 and CVE-2021-45105. These issues are distinct from the previously communicated issue, CVE-2021-44228, and the following advice supersedes that outlined in the previous CVE-2021-44228 related to Apache Log4j post.
Nuxeo Cloud Instances
If you are running a Cloud instance, we have already made the necessary changes and the vulnerability has been resolved.
Self-managed Nuxeo Instances
We strongly recommend updating your instance to the latest Hot Fix version as the best resolution for this issue and regularly upgrading to the latest platform version to benefit from important updates published by Hyland.
As for the previous post, the following are generic mitigation measures, please consult with your technical team or the Hyland support teams for precise implementation steps.
Configuration Change - No Longer Valid
Please note that the configuration change proposed in the previous mitigation measures,
-Dlog4j2.formatMsgNoLookups=true, is no longer sufficient. We recommend that all instances be upgraded using either the marketplace package as a temporary measure or the latest recommended Hot Fix.
We have updated the marketplace package to deal with all three Apache Log4J issues, identified as CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228. It is freely available and can be added to any instance to resolve the vulnerability. It will upgrade the utility to the latest 2.17 version and in doing so will resolve the security issue.
For LTS 2021 & LTS 2019
Under review, the recommendation is to apply all Hot Fixes up to current.