TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228)

Categories: Development, Security, TYPO3 CMS Created by Torben Hansen
Components of TYPO3 CMS are based on PHP and are therefore not directly affected by the recent log4j vulnerabilities. However, additional services used in web application scenarios may be affected.
  • Component Type: TYPO3 CMS core & TYPO3 extensions (third-party plugins)
  • Release Date: December 16, 2021
  • Type: Advisory
  • References: CVE-2021-44228, CVE-2021-45046

Problem Description

The critical vulnerability that was recently exposed in the log4j Java library is currently going  through the media and some TYPO3 users are unsure whether TYPO3 CMS or TYPO3 extensions are affected by this vulnerability too.

TYPO3 CMS and TYPO3 extensions are PHP based software packages and are therefore not affected by the log4j vulnerability. This includes bundled JavaScript components in TYPO3 CMS and TYPO3 extensions (Java and JavaScript are separate programming languages).

Many TYPO3 websites  rely on external services that could be affected by the vulnerability, but only if those external services are  based on Java. Here  are some common scenarios where additional services are used:

  • TYPO3 website includes a website search, which is based on the external services like Apache Solr or Elasticsearch
  • TYPO3 website uses the external service Apache Tika to extract metadata of uploaded files,
  • TYPO3 log files are processed by the external service Logstash,

In all these scenarios, the external services are Java-based software components that use the log4j library and are most  likely affected by the critical log4j vulnerability. 

Recommendation

The TYPO3 Security Team recommends TYPO3 website and server administrators to check if data generated by TYPO3 is logged or processed by Java-based external services in any way. If so, it is important to establish whether the external services use log4j and if they are affected by the vulnerability. 

This reference may be a helpful resource for TYPO3 website and server administrators on how to detect and mitigate the log4j/log4shell vulnerability.

TYPO3 Infrastructure

Affected components and external services used in the TYPO3 infrastructure have been identified and vendor patches have been applied. Affected components did not include any privacy or account-related data.

General Advice

Follow the recommendations given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.