Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591

[Robert Munteanu <ro...@apache.org>]

On 9th December 2021, a new zero-day vulnerability for Apache Log4j was
reported. It is tracked under CVE-2021-44228 and affects Log4j versions
from 2.0.1 (inclusive) to 2.15.0 (exclusive). It is also known under
the 'log4shell' name.

Apache Sling modules use the Simple Logging Facade for Java (slf4j) for
logging, backed by the Sling Commons OSGi bundle.There are no Sling
modules using versions of Log4j affected by log4shell. The Sling
Starter and Sling CMS applications do not include any vulnerable
version of the Log4j library.

Applications built on top of Apache Sling are not impacted by CVE-2021-
44228, provided they do not deploy a vulnerable version of log4j
themselves.

The Sling Commons OSGi bundle wraps logback-core and logback-classic,
but does not allow arbitrary modifications to the logback.xml file and
is therefore not vulnerable to the attack described in LOGBACK-1591 .

The Apache Sling PMC recommends that developers and operators of
applications built on top of Apache Sling review the libraries they
deploy to ensure that they do not include vulnerable versions of Log4j.

Oh behalf of the Apache Sling PMC,
Robert Munteanu

---

This advisory is also available online at
https://sling.apache.org/security/log4shell.html