Help to mitigate CVE-2021-44228 and CVE-2021-45046 security vulnerabilities

madhu.peyyala · December 15, 2021, 12:38pm

Hi Team,
We’ve received a directive to check the effect of the security vulnerabilities applications that are hosting on Lucee:
→ CVE-2021-45046: CVE - CVE-2021-45046
→ CVE-2021-44228: CVE - CVE-2021-44228

Is there any impact to the Lucee that we are currently using? if yes, please suggest the mitigation steps.
Are there any process to identify whether we have impacted?

OS: Ubuntu 18
Java Version: Java 11, inbuilt Lucee provided one.
Tomcat Version: Tomcat9
Lucee Version: 5.3.6.61

I have found the below log4j jar files in the lucee server:
/opt/lucee/tomcat/lucee-server/bundles/log4j-1.2.17.jar

Thank you,
Madhusudhana

Zackster · December 15, 2021, 12:44pm

did you read the other threads on the topic first?

https://lucee.daemonite.io/t/log4j-zeroday-vulnerability/9322/26

https://lucee.daemonite.io/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331/24

madhu.peyyala · December 15, 2021, 1:04pm

Thanks for the quick response.
Yes Zackster i have looked into those posts. From that i understand there is no impact with cve-2021-44228 as lucee is using log4j-12.17. Correct me if i understand differently.
But i didn’t find any article/post on cve-2021-45046. The organisation need a verdict from the Lucee side to believe that there is no impact with both cve-2021-44228, cve-2021-45046.
Hope you got me.

Thanks,
Madhusdhana

Zackster · December 15, 2021, 1:07pm

CVE-2021-45046 also applies to log4j 2, that’s also not an issue for Lucee

madhu.peyyala · December 15, 2021, 1:10pm

Thanks Zackster for confirming!!!

madhu.peyyala · January 10, 2022, 10:56am

Hi Zackster,
Is there any impact or anything to be taken care w.r.t CVE-2021-44832?
Thanks,
Madhusudhana

bdw429s · January 10, 2022, 8:35pm

Lucee does not use a JDBC Appender in the default configuration, so unless you’re using custom Log4j settings, I wouldn’t think you’re vulnerable.