Hello,

We are running CMDBuild READY2USE 2.3-3.4.3 on linux openSUSE 15.5.

We have recently installed a vulnerability security scanner (Runecast analyzer) on the server and it detected a couple of critical vulnerabilities linked to log4j

CVE-2021-44228 / CVE-2021-45046 - Log4j versions prior to 2.16.0, including 2.15

log4j is not installed on the server as part of the OS so this must come from CMDBuild.

Can you confirm if log4j is bundled with CMDBuild and which version it is?

The vulnerability was fond in the following files:

/usr/lib64/jvm/java-17-openjdk-17/bin/java -Djava.util.logging.config.file=/home/olivier/cmdbuild_new/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /home/olivier/cmdbuild_new/bin/bootstrap.jar:/home/olivier/cmdbuild_new/bin/tomcat-juli.jar -Dcatalina.base=/home/olivier/cmdbuild_new -Dcatalina.home=/home/olivier/cmdbuild_new -Djava.io.tmpdir=/home/olivier/cmdbuild_new/temp org.apache.catalina.startup.Bootstrap start

Thank you for any information you can provide.

Best wishes

Olivier Riche

Hi,
We have confirmed that the release 3.4.3 of CMDBuild includes log4j updated to version 2.18.

CMDBuild team

thank you, it’s reassuring to know that this version of log4j is not vulnerable.
Best wishes
Olivier