Stack Overflow
Stack Overflow

Questions tagged [cve-2021-44228]

On 9 of December 2021 the vulnerability known as "log4shell" was publicly disclosed. The vulnerability, found in the library, a project of the Apache software foundation, was given a CVSS score of 10 - the highest possible.

The vulnerability got the name "log4shell" because it was discovered that log4j allowed users without authentication to run RCE (remote code execution) through requests from arbitrary LDAP and JNDI servers.

A fix was quickly released with version 2.15.0 by Apache.

13 questions
6
votes
3 answers

How can I find vulnerable Log4j programs (CVE-2021-44228) on a Windows 10 PC and how to provide first aid when I cannot update to a fixed version?

How can I find vulnerable Log4j programs (CVE-2021-44228) on a Windows 10 PC and how can I provide first aid when I cannot update to a fixed Log4j version?
chr15t0ph
  • 77
  • 1
  • 1
  • 3
4
votes
1 answer

Why is Maven downloading log4j-1.2.12.jar?

I am trying to remove all the vulnerable log4j dependencies from my maven project. I am using log4j 2.16 dependency in my pom and have added exclusions for log4j and sl4j in other dependencies. Still, whenever I run the maven package goal it…
Syed Shahzer
  • 310
  • 4
  • 14
4
votes
2 answers

Are you safe from log4j CVE-2021-44228 if Java is not installed?

I have read a lot about how bad this issue is and understand the options available to locate it within the code our company is producing and update servers that are using vulnerable versions. What I am unable to find is if a particular server does…
Martin
  • 2,316
  • 1
  • 28
  • 33
3
votes
0 answers

Fortify tool reporting CVE-2021-44228 despite using log4j 2.17.1+ version

We ran Fortify tool on our code base which is currently using log4j 2.17.1+ version. However, the fortify tool complains that: The program runs a JNDI lookup with an untrusted address that might enable an attacker to run arbitrary Java code…
Sammidbest
  • 463
  • 2
  • 10
  • 20
1
vote
1 answer

Python logging module & indirect log4j vulnerability exposure?

Since the python logging package is based on PEP 282 and influenced by Apache's log4j system, does this package is impacted by the recent log4j vulnerabilities? My knowledge of this particular module is limited so I'm hoping somebody here is a bit…
Billie
  • 35
  • 8
0
votes
1 answer

Leveraging Java's sandbox to mitigate CVE-2021-44228( log4j2 remote code execution)?

The java-security-manager-deprecation not withstanding JEP-411 (Deprecate the Security Manager for Removal), would enabling sandbox mechanism by leveraging the java security-manager (and associated class-loading mechanisms) be a good approach? As I…
Ravindra HV
  • 2,558
  • 1
  • 17
  • 26
0
votes
1 answer

fix for log4j vulnerability (CVE-2021-44228) for Apache storm?

There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website: you may remove the **JndiLookup** class from the classpath: zip -q -d log4j-core-*.jar…
navneet sharma
  • 1
  • 1
0
votes
1 answer

How to build log4j2 2.8.2 with the latest fixes

I am remediating my Jetty java apps for CVE-2021-44228 and the other similar log4j findings. I tried to upgrade to 2.17.0 but not all my apps can upgrade because some of them rely on older version of Jetty that does not work with the new log4j due…
Nicholas DiPiazza
  • 10,029
  • 11
  • 83
  • 152
0
votes
1 answer

How do I help mitigate log4j via haproxy on Enterprise Linux

Based on this post, haproxy has provided mitigation acls rules that can be used to help fight against log4j attack requests getting proxied to the affected log4j apps. In reading some of the users comments, It came to my attention that many…
user3258557
  • 21
  • 3
0
votes
1 answer

How to find and fix if a jar is using vulnerable version of log4j in windows/linux/mac

log4j security vulnerbility find and fix? Any tool to help find the current usage of log4j version and fix for springboot app.
Syed Ruman
  • 9
  • 2
0
votes
0 answers

Does a reduced logging level somewhat mitigate CVE-2021-44228?

I believe I saw it mentioned in one of the security advisories about CVE-2021-44228 that reducing the logging level to ERROR or below can mitigate the vulnerability to some degree. I can't seem to find the same advisory again, possibly that piece of…
Primoz
  • 626
  • 1
  • 9
  • 16
0
votes
1 answer

CVE-2021-44228 + slf4j + common-logging

I am using slf4j in my project with the following : implementation "org.slf4j:slf4j-api:${versions.slf4japi}" (1.7.32) implementation "org.slf4j:slf4j-simple:${versions.slf4jsimple}" (1.7.32) I am really confused because I don't have the…
Benjamin
  • 142
  • 1
  • 8
-2
votes
1 answer

Log4j2 Vulnerability in version 2.16.0

Our system is a microservices-based system. It has more than 120 services. We were advised to upgrade the log4j version in our microservices to 2.16.0 to mitigate the recent log4j vulnerability. Currently, our services use the 2.11.2 version. Can't…
Keaz
  • 955
  • 1
  • 11
  • 21