DOS vulnerability in log4j < 2.17.0 

Issue date: 20-12-2021
Affects versions: 14.7, 13.4, 12.6

Security Issue ID

SECURITY-287

 

Affected Product Version(s)

14.7.2, 13.4.13, 12.6.22 and previous releases.


Severity 

medium

 

Description

 

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

The default logging configuration provided by Bloomreach does not use a 'ctx' pattern that would trigger this vulnerability, so we believe the actual risk to customers is low. brXM versions 12.6.23, 13.4.14, and 14.7.3 have been updated to use log4j 2.17.0, which closes this vulnerability.

Instructions

Customers are recommended to upgrade to the latest brXM version available.