|Requires Admin Access:||No|
|Fix Version:||21.12 (see Mitigations for other versions)|
On Friday 12/10/2021, a critical vulnerability notification (CVE-2021-44228) was released regarding a vulnerability in the log4j library, which is a very common open-source component used by a large number of internet providers, including Apple, Microsoft, Twitter, and Amazon Web Services, and others (for a full list of the extent of this issue, please see https://github.com/YfryTchsGD/Log4jAttackSurface). The log4j component is also used by all recent versions of dotCMS, so this vulnerability has the potential to affect most dotCMS customers.
How to test if dotCMS is vulnerable
dotCMS has already created updated versions of dotCMS software and configuration to mitigate this vulnerability for all affected dotCMS versions, and has already applied mitigations for this issue to all dotCMS Cloud customers.
Please see https://github.com/dotCMS/core/issues/21393 for more information on how to mitigate your dotCMS environment.
Github Issue Link: