Help to mitigate CVE-2021-44228 and CVE-2021-45046 security vulnerabilities

Hi Team,
We’ve received a directive to check the effect of the security vulnerabilities applications that are hosting on Lucee:
→ CVE-2021-45046: CVE - CVE-2021-45046
→ CVE-2021-44228: CVE - CVE-2021-44228

Is there any impact to the Lucee that we are currently using? if yes, please suggest the mitigation steps.
Are there any process to identify whether we have impacted?

OS: Ubuntu 18
Java Version: Java 11, inbuilt Lucee provided one.
Tomcat Version: Tomcat9
Lucee Version:

I have found the below log4j jar files in the lucee server:

Thank you,

did you read the other threads on the topic first?

Thanks for the quick response.
Yes Zackster i have looked into those posts. From that i understand there is no impact with cve-2021-44228 as lucee is using log4j-12.17. Correct me if i understand differently.
But i didn’t find any article/post on cve-2021-45046. The organisation need a verdict from the Lucee side to believe that there is no impact with both cve-2021-44228, cve-2021-45046.
Hope you got me.


CVE-2021-45046 also applies to log4j 2, that’s also not an issue for Lucee

Thanks Zackster for confirming!!!

Hi Zackster,
Is there any impact or anything to be taken care w.r.t CVE-2021-44832?

Lucee does not use a JDBC Appender in the default configuration, so unless you’re using custom Log4j settings, I wouldn’t think you’re vulnerable.