Adobe Experience Manager Sites & More

bipin_bitla · 12/10/21

Hi friends,

Does this https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 vulnerability apply to AEM 6.5 and 6.1 ? Did anyone face any issues with it?

The vulnerability is with org.Apache.logging.Log4j.logger but I see our AEM is using log4j.over.slf4j bundle which is abstract of log4j. But I am not sure that this vulnerability fully applies to AEM as well.

Any recommendation would help.

Thanks

Bipin

Kiran_Vedantam · 12/13/21

All, Check the response from AEM security team here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-e...

AEM seems to be uneffected.

Thanks,

Kiran Vedantam.

View solution in original post

satishchitikena · 12/11/21

Aem depfinder not showing any wrapper or log4j dependencies . Sling log using log back .

is there any find out internal implementation using log4j?

AditiVoh · 12/11/21

Hi Adobe,

We are in similar situation we saw a log4j-over-slf4j in one of AEM directory we are using AEM 6.2 are we affected by this vulnerability?

Regards,

Gerald

Magicr · 12/13/21

How about AEM 6.3, 6.4 and 5.x?

Kiran_Vedantam · 12/13/21

All, Check the response from AEM security team here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-e...

AEM seems to be uneffected.

Thanks,

Kiran Vedantam.

JeetendraASahu · 12/15/21

Refer to https://logging.apache.org/log4j/2.x/security.html link

Adobe Experience Manager Sites & More

Log4j Expliot JNDI for AEM

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe