CVE-2021-45105 Log4Shell

What is CVE-2021-45105 (Log4Shell)?

In summary,

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Is Cascade CMS affected by CVE-2021-45105 (Log4Shell)?

As was the case for CVE-2021-44228, CVE-2021-45105 does not impact Cascade Cloud (as of 3/8/2022) or on-premise Cascade CMS 8.20, because message lookup substitution is disabled by default. 

Note that application logging configuration is not available within the application itself. It could only be customized with direct access to the application server.

On-premise distributions older than Cascade CMS 8.20

On-premise distributions do not support message lookup substitution in the use of log4j; therefore, these versions of Cascade CMS are not affected.