Security Breach in log4j2
by Christoph Friedrich (comments: 0)
Update Your Allegra Installation
On Saturday, a security vulnerability in the log4j2 library, which is also used in Allegra, became known. We had patched the installations of all systems hosted by us by Sunday afternoon.
Today we released a new build of the current version 7.1 that closes the gap. We recommend that all customers running version 7.0 or 7.1 update to this build.
Customers running older versions such as 5.x or 6.x should pass the system parameter "-Dlog4j2.formatMsgNoLookups=true" to the JVM of their ServletContainer, e.g. for Tomcat in bin/setenv.sh in the form JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true ....".
It is unlikely that the vulnerability in Allegra can be exploited if you are not logged into the system and if the logger configuration files have not been modified. For customers with an active maintenance contract, we provide information to help them test if their installation is vulnerable. To do so, please contact support (firstname.lastname@example.org).
Update Dec 15, 2021 12:00 PM: It was discovered that the generally recommended patch to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. A vulnerability still exists that can be exploited for a less critical denial of service (DOS) attack. Therefore, we have released another build (Allegra 7.1.0 build 514v, which also fixes this issue. We recommend then to update Allegra with this latest build. For more information, please visit https://logging.apache.org/log4j/2.x/security.html .