Expand my Community achievements bar.

Nomination window for the Adobe Community Advisor Program, Class of 2025, is now open!
SOLVED

Log4j Expliot JNDI for AEM

Avatar

Level 2

Hi friends,

 

Does this https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 vulnerability apply to AEM 6.5 and 6.1 ? Did anyone face any issues with it?

 

The vulnerability is with org.Apache.logging.Log4j.logger  but I see our AEM is using log4j.over.slf4j bundle which is abstract of log4j. But I am not sure that this vulnerability fully applies to AEM as well. 

 

Any recommendation would help.

 

Thanks

Bipin

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

All, Check the response from AEM security team here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-e...

 

AEM seems to be uneffected.

 

Thanks,

Kiran Vedantam.

View solution in original post

5 Replies

Avatar

Level 1

Aem depfinder not showing any  wrapper or log4j dependencies . Sling log using log back . 

is there any find out internal implementation using log4j?

Avatar

Level 1

Hi Adobe,

 

We are in similar situation we saw a log4j-over-slf4j in one of AEM directory we are using AEM 6.2 are we affected by this vulnerability?

 

Regards,

Gerald

Avatar

Level 7

How about AEM 6.3, 6.4 and 5.x?

Avatar

Correct answer by
Community Advisor

All, Check the response from AEM security team here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-log4j-remote-code-e...

 

AEM seems to be uneffected.

 

Thanks,

Kiran Vedantam.

Avatar

Level 1