critical vulnerability in Apache java opensource logging tool
Moderator: Moderators for English X Forum
critical vulnerability in Apache java opensource logging tool
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-44228
short version:
Any instance of log4j2 up and including 2.14 is vulnerable to remote code execution attacks on any platform (yes, this includes Linux) via LDAP. This is an opensource logging tool used by many developers, not just Apache web servers. Suggested remediation is to update to version 2.15 or disable certain java controls on this applet.
https://logging.apache.org/log4j/2.x/security.html for additional details.
short version:
Any instance of log4j2 up and including 2.14 is vulnerable to remote code execution attacks on any platform (yes, this includes Linux) via LDAP. This is an opensource logging tool used by many developers, not just Apache web servers. Suggested remediation is to update to version 2.15 or disable certain java controls on this applet.
https://logging.apache.org/log4j/2.x/security.html for additional details.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
- red assassin
- Posts: 4613
- Joined: Sun, 15. Feb 04, 15:11
Re: critical vulnerability in Apache java opensource logging tool
Fortunately, if you find any vulnerable servers, you can patch them with this handy tool... whether or not it's your server: https://github.com/Cybereason/Logout4Shell
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way
Re: critical vulnerability in Apache java opensource logging tool
True but not so easy to do in the patient care realm. Fortunately, we can block the traffic at the firewall in the meantime while we wait on official patching from the vendors. in the meantime, tho, this Java applet is in use by game developers as well, including Minecraft and other Java based games and apps. It's all over the place.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
- red assassin
- Posts: 4613
- Joined: Sun, 15. Feb 04, 15:11
Re: critical vulnerability in Apache java opensource logging tool
For the record, I'm not actually recommending exploiting the vulnerability to patch it on random servers! Unfortunately it's a bit of a challenging vulnerability to mitigate on network in the general case, because you don't know where a value in traffic might end up getting passed to a logger somewhere. (It might not even be in real time!)
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way
Re: critical vulnerability in Apache java opensource logging tool
Oh, Steam cloud services are also impacted by this exploit.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
Re: critical vulnerability in Apache java opensource logging tool
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046
updating the logging tool to 2.15 has not completely remediated the vulnerability in log4j. Current recommendation is to update to 2.16 and some vendors are already making updates available.
updating the logging tool to 2.15 has not completely remediated the vulnerability in log4j. Current recommendation is to update to 2.16 and some vendors are already making updates available.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
Re: critical vulnerability in Apache java opensource logging tool
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
aaaaand 2.16 is still not good enough.
aaaaand 2.16 is still not good enough.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!