CVE-2021-44228 Log4Shell

What is CVE-2021-44228 (Log4Shell)?

In summary,

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache's Log4j security guide: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Is Cascade CMS affected by CVE-2021-44228 (Log4Shell)?

CVE-2021-44228 does not impact Cascade Cloud as of 3/8/2022 or on-premise Cascade CMS 8.20, because the latest version of Log4j 2.x is in use which disables the affected JNDI functionality by default. 

Note that application logging configuration is not available within the application itself. It could only be customized with direct access to the application server.

On-premise distributions older than Cascade CMS 8.20

For on-premise distributions, the vulnerability depends on the availability of a log4j feature called message lookup substitution which is not supported in Cascade CMS's implementation of log4j. The most serious part of the vulnerability—which derives from the loading of classes from arbitrary URL in JNDI—is also mitigated by the version of Java that ships with Cascade CMS where com.sun.jndi.ldap.object.trustURLCodebase defaults to false.

This vulnerability is related to: a) CVE-2021-4104 a less serious variation of vulnerability that is also mitigated in Cascade CMS and b) two later and less serious variations—CVE-2021-45046 and CVE-2021-45105—which are both mitigated for the same reasons as above.