Re: Log4j Vulnerability
Re: Log4j Vulnerability
- Subject: Re: Log4j Vulnerability
- From: Paul Hoadley via Webobjects-dev <email@hidden>
- Date: Fri, 17 Dec 2021 08:43:36 +1030
Just to update this:
On 14 Dec 2021, at 12:07, Paul Hoadley via Webobjects-dev
<email@hidden> wrote:
> * In any case, if you're definitely using Log4J 2 (we are—I went to some
> effort months ago to set it up!), you can mitigate the issue immediately by
> re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true".
It turns out that this was not a complete mitigation:
https://www.lunasec.io/docs/blog/log4j-zero-day/
<https://www.lunasec.io/docs/blog/log4j-zero-day/>
> That will give you time to re-build with Log4J 2.15.0.
And that 2.15.0 was not a complete fix either:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>
Current release is 2.16.0, and you should update to that if you're using Log4J
2.
https://logging.apache.org/log4j/2.x/security.html
<https://logging.apache.org/log4j/2.x/security.html>
--
Paul Hoadley
https://logicsquad.net/
https://www.linkedin.com/company/logic-squad/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden