• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Log4j Vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Log4j Vulnerability

  • Subject: Re: Log4j Vulnerability
  • From: Aaron Rosenzweig via Webobjects-dev <email@hidden>
  • Date: Mon, 27 Dec 2021 19:46:30 -0500
Should we upgrade the Wonder jars to v2.16?

I realize they are currently on v1.x which isn’t affected by the latest
stirrings on the inter webs but maybe this is a good time to move it forward?

v1.x has a small number of vulnerabilities of its own, though most people
aren’t affected by them either.

> On Dec 16, 2021, at 5:13 PM, Paul Hoadley via Webobjects-dev
> <email@hidden> wrote:
>
> Just to update this:
>
> On 14 Dec 2021, at 12:07, Paul Hoadley via Webobjects-dev
> <email@hidden <mailto:email@hidden>>
> wrote:
>
>> * In any case, if you're definitely using Log4J 2 (we are—I went to some
>> effort months ago to set it up!), you can mitigate the issue immediately by
>> re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true".
>
> It turns out that this was not a complete mitigation:
>
> https://www.lunasec.io/docs/blog/log4j-zero-day/
> <https://www.lunasec.io/docs/blog/log4j-zero-day/>
>
>> That will give you time to re-build with Log4J 2.15.0.
>
> And that 2.15.0 was not a complete fix either:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>
>
> Current release is 2.16.0, and you should update to that if you're using
> Log4J 2.
>
> https://logging.apache.org/log4j/2.x/security.html
> <https://logging.apache.org/log4j/2.x/security.html>
>
>
> --
> Paul Hoadley
> https://logicsquad.net/ <https://logicsquad.net/>
> https://www.linkedin.com/company/logic-squad/
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Log4j Vulnerability
      • From: Paul Hoadley via Webobjects-dev <email@hidden>
References: 
 >Log4j Vulnerability (From: Daniele Corti via Webobjects-dev <email@hidden>)
 >Re: Log4j Vulnerability (From: Paul Hoadley via Webobjects-dev <email@hidden>)
 >Re: Log4j Vulnerability (From: Paul Hoadley via Webobjects-dev <email@hidden>)

  • Prev by Date: Re: FrontBase driver for Java 11+ - was Mac OS Monterey
  • Next by Date: Re: Log4j Vulnerability
  • Previous by thread: Re: Log4j Vulnerability
  • Next by thread: Re: Log4j Vulnerability
  • Index(es):
    • Date
    • Thread