Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Log4j Expliot JNDI for AEM

Avatar

Level 2

Hi friends,

 

Does this https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 vulnerability apply to AEM 6.5 and 6.1 ? Did anyone face any issues with it?

 

The vulnerability is with org.Apache.logging.Log4j.logger  but I see our AEM is using log4j.over.slf4j bundle which is abstract of log4j. But I am not sure that this vulnerability fully applies to AEM as well. 

 

Any recommendation would help.

 

Thanks

Bipin

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

All, Check the response from AEM security team here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-e...

 

AEM seems to be uneffected.

 

Thanks,

Kiran Vedantam.

View solution in original post

5 Replies

Avatar

Level 1

Aem depfinder not showing any  wrapper or log4j dependencies . Sling log using log back . 

is there any find out internal implementation using log4j?

Avatar

Level 1

Hi Adobe,

 

We are in similar situation we saw a log4j-over-slf4j in one of AEM directory we are using AEM 6.2 are we affected by this vulnerability?

 

Regards,

Gerald

Avatar

Correct answer by
Community Advisor

All, Check the response from AEM security team here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-e...

 

AEM seems to be uneffected.

 

Thanks,

Kiran Vedantam.