As CVE-2021-45105 discovered that Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. These changes are available in log4j 2.16.0. Even though the issue was fixed, the team continued the work to further harden the library by disabling the JNDI lookup by default and to disabled message lookups. Log4j 2.15.0 is already available in Maven Central and all users are encouraged to upgrade immediately where possible. The log4j contributors mobilized to ensure that a fix was available and quickly merged. As pointed out by the POC published on GitHub, when log4j logs an attacker-controlled string value it can result in a Remote Code Execution (RCE). Log4j 2.15.0 has been released, which no longer has this vulnerability. All the library’s versions between 2.0 and 2.14.1 included are affected. On December 9th, it was made public on Twitter that a zero-day exploit had been discovered in log4j, a popular Java logging library. Please comment if something needs to be updated. This is an evolving story, we will continue updating it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |