Issues » Log4j Zero-Day Exploit (CVE-2021-44228)

Issue: SI-61
Date: Dec 20, 2021, 10:15:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 21.12 (see Mitigations for other versions)
Credit: NIST CVE

On Friday 12/10/2021, a critical vulnerability notification (CVE-2021-44228) was released regarding a vulnerability in the log4j library, which is a very common open-source component used by a large number of internet providers, including Apple, Microsoft, Twitter, and Amazon Web Services, and others (for a full list of the extent of this issue, please see The log4j component is also used by all recent versions of dotCMS, so this vulnerability has the potential to affect most dotCMS customers.

How to test if dotCMS is vulnerable
Try to log in (native) using the following string as the username:
and any old password.
If you see the following message in dotcms.log OR catalina.out (need to check both on binary installs), or in docker logs, then the site is vulnerable
AsyncAppender-generic WARN Error looking up JNDI resource [ldap://]. javax.naming.CommunicationException: [Root exception is]

The following message is fine and expected, it does not indicate there is an issue
ERROR ejb.UserManagerImpl - Invalid email throwing a UserEmailAddressException: ${jndi:ldap://}


dotCMS has already created updated versions of dotCMS software and configuration to mitigate this vulnerability for all affected dotCMS versions, and has already applied mitigations for this issue to all dotCMS Cloud customers.

Please see for more information on how to mitigate your dotCMS environment.


Github Issue Link: