Re: Log4j Vulnerability
Re: Log4j Vulnerability
- Subject: Re: Log4j Vulnerability
- From: Daniele Corti via Webobjects-dev <email@hidden>
- Date: Tue, 14 Dec 2021 00:43:07 -0800
Hi Paul, hi Ken,
thank you so much for the info!!!
I use only Wonder, and the only Log4J I see in the class path is
log4j-1.2.17 from ERJar, so I think is ok.
Thanks again!!!
*Daniele Corti - **IT*
VINATI Srl
email@hidden
tel: +39 030 2532813
fax: +39 030 2532814
___________________________
CONFIDENTIALITY NOTICE
Questo messaggio (incluso qualsiasi allegato alla presente) contengono
informazioni confidenziali e sono rivolte esclusivamente ai destinatari
citati nel messaggio. Se non siete i destinatari non è concesso
reinoltrare, distribuire, copiare o fare use di questo messaggio. Se avete
ricevuto questo messaggio per errore siete pregati di avvisare
immediatamente il mittente via e-mail, e di cancellare la presente dal
vostro sistema.
This message (including any attachments transmitted with it) contains
confidential information and is intended only for the individual named
herein. If you are not the herein named addressee you should not
disseminate, distribute, copy or otherwise make use of this message. Please
notify the sender immediately by e-mail if you have received this message
by mistake, and delete it from your systems.
On 14 dicembre 2021 a 02:37:31, Paul Hoadley via Webobjects-dev (
email@hidden) scritto:
Hello,
On 13 Dec 2021, at 20:56, Daniele Corti via Webobjects-dev <
email@hidden> wrote:
Today the vulnerability CVE-2021-44228 details (log4j) are out and looks
like all log4j versions are affected!
I’ve seen many attempt on the logs of the servers, but I was not able to
understand if also my ERJar which contains the log4j-1.2.17 is affected.
As Ken Anderson noted, it only affects versions >=2.0-beta9 and <=2.14.1.
https://logging.apache.org/log4j/2.x/security.html
So log4j-1.2.17 specifically is unaffected. If that's the only Log4J you've
got on the classpath, you're not affected. If you're running a vanilla
Wonder app, you're almost certainly not using Log4J 2.
Anyone was able to check if the
standard er.extensions.logging.ERXConsoleAppender is vulnerable?
It's "vulnerable" only to the extent that it does use '%m' to print the log
message (and a potential mitigation is to use '%m{nolookups}' if you're on
version >= 2.7), but that's only relevant if you're using a vulnerable
version of Log4J 2.
Here are some brief notes I posted to Slack earlier today:
* The good news is that if you're just using vanilla WebObjects/Wonder,
you're probably not affected by it: Wonder is still on Log4J 1.
You might have a dependency pulling in Log4J 2, though it's not clear to me
whether that would matter unless you had the app-level co-operation to set
up and use Log4J 2 to do actual logging. If you're using Maven, it's very
easy to check: "mvn dependency:tree | grep log4j".
* In any case, if you're definitely using Log4J 2 (we are—I went to some
effort months ago to set it up!), you can mitigate the issue immediately by
re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true". That
will give you time to re-build with Log4J 2.15.0.
* Finally, if you're using AWS and you're using Web Application Firewall
(WAF, which I highly recommend), you're already covered by
the AWSManagedRulesKnownBadInputsRuleSet rules—if you're not using that
set, add it immediately.
--
Paul Hoadley
https://logicsquad.net/
https://www.linkedin.com/company/logic-squad/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden