Log4j security issue and Umbraco CMS
by Chris Hall Senior Developer
Posted on December 15, 2021
For those of you that aren’t at the coalface of IT, there has been a recent global security announcement regarding a critical security issue that has been described by experts as being “the worst discovery in recent years” for the vulnerability and its potential impacts to global software systems.
The vulnerability has been identified in Apache’s Log4j log storage library (for storing log files, audits etc) and is a popular solution, which is run as a Java-based software mainly within application software configurations. The issue can exploit access to the server giving entry to networks or applications where the possibility for disruptions is endless. The global IT community, specifically application developers, DevOps, SysAdmins and more are racing through their infrastructure configurations to check to see if there are potential exposures to this flaw. This may take weeks to months to ensure system health checks are run and secure whilst there are, I’m sure determined individuals pro-actively looking for this specific weakness to exploit.
The issue with this logging service is that many Opensource frameworks may use this dependency and it may not be directly obvious that is in use.
NXT have been pro-actively looking through those clients identified internally (based on their infrastructure) “At-Risk” and we are remediating those issues. The positive news for NXT as an agency is that predominately our tech-stack is based on Microsoft’s .NET / .NET Core framework and we typically use Umbraco CMS as our core solution. Having consulted Umbraco and checked all their security documentation, we can confirm that Umbraco CMS uses Log4Net. Umbraco has confirmed that it isn’t affected by the exploited port of Log4j. For further reading, read here.
NXT development team have followed best practise in ensuring WAF (web application firewall) rules has been included to block any attempts for potential risks, although as we mentioned there are no indications of risk to .NET / Umbraco environments.
So another big security win again for the .NET community and Umbraco CMS, but we’ll continue to monitor this issue closely.
About the Author
Chris leads our front end development at NXT, principally involved in all things responsive, animation and anything cool you see on the web. Chris loves nothing more than creating jQuery libraries but when he's not in the office he loves spinning Poi, making his own tunes and the Linton travel tavern. Keep your eyes peeled for "Spinjammin" - coming soon.