• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Log4j Vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Log4j Vulnerability

  • Subject: Re: Log4j Vulnerability
  • From: Paul Hoadley via Webobjects-dev <email@hidden>
  • Date: Tue, 14 Dec 2021 12:07:13 +1030
Hello,

On 13 Dec 2021, at 20:56, Daniele Corti via Webobjects-dev
<email@hidden> wrote:

> Today the vulnerability CVE-2021-44228 details (log4j) are out and looks like
> all log4j versions are affected!
>
> I’ve seen many attempt on the logs of the servers, but I was not able to
> understand if also my ERJar which contains the log4j-1.2.17 is affected.

As Ken Anderson noted, it only affects versions >=2.0-beta9 and <=2.14.1.

https://logging.apache.org/log4j/2.x/security.html

So log4j-1.2.17 specifically is unaffected. If that's the only Log4J you've got
on the classpath, you're not affected. If you're running a vanilla Wonder app,
you're almost certainly not using Log4J 2.

> Anyone was able to check if the standard
> er.extensions.logging.ERXConsoleAppender is vulnerable?

It's "vulnerable" only to the extent that it does use '%m' to print the log
message (and a potential mitigation is to use '%m{nolookups}' if you're on
version >= 2.7), but that's only relevant if you're using a vulnerable version
of Log4J 2.

Here are some brief notes I posted to Slack earlier today:

* The good news is that if you're just using vanilla WebObjects/Wonder, you're
probably not affected by it: Wonder is still on Log4J 1. You might have a
dependency pulling in Log4J 2, though it's not clear to me whether that would
matter unless you had the app-level co-operation to set up and use Log4J 2 to
do actual logging. If you're using Maven, it's very easy to check: "mvn
dependency:tree | grep log4j".

* In any case, if you're definitely using Log4J 2 (we are—I went to some effort
months ago to set it up!), you can mitigate the issue immediately by
re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true". That will
give you time to re-build with Log4J 2.15.0.

* Finally, if you're using AWS and you're using Web Application Firewall (WAF,
which I highly recommend), you're already covered by the
AWSManagedRulesKnownBadInputsRuleSet rules—if you're not using that set, add it
immediately.


--
Paul Hoadley
https://logicsquad.net/
https://www.linkedin.com/company/logic-squad/


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Log4j Vulnerability
      • From: Paul Hoadley via Webobjects-dev <email@hidden>
    • Re: Log4j Vulnerability
      • From: Daniele Corti via Webobjects-dev <email@hidden>
References: 
 >Log4j Vulnerability (From: Daniele Corti via Webobjects-dev <email@hidden>)

  • Prev by Date: Re: Log4j Vulnerability
  • Next by Date: Re: Log4j Vulnerability
  • Previous by thread: Re: Log4j Vulnerability
  • Next by thread: Re: Log4j Vulnerability
  • Index(es):
    • Date
    • Thread