Questions tagged [log4shell]

For questions regarding the impact of, mitigation strategies and fixing the security issue Log4Shell (CVE-2021-44228) in the Log4j java logging framework.

Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.

See https://en.wikipedia.org/wiki/Log4Shell

16 questions

votes

2 answers

How can I mitigate the Log4Shell vulnerability in version 1.2 of Log4j?

I've got a very old version of Solr and I've been trying to see if it is affected by the Log4Shell vulnerability that everybody is freaking out about (CVE-2021-44228). The CVE only seems to apply to later versions, but a colleague doesn't buy it, so…

log4j log4shell

asked Dec 11 '21 at 01:41

mlissner

17,359
18
106
169

votes

3 answers

Log4j Vulnerability in 3rd party applications like apache zookeeper

Apache log4j zookeeper uses log4j 1.2 which is vulnerable to RCE. To rectify this issue we planned to exclude log4j 1.2 and include log4j 2.17.1 core and log4j 2.17.1 api in the dependency It doesnt help. Can somebody please suggest how to exclude…

log4j log4j2 apache-zookeeper log4shell

asked Jan 04 '22 at 14:14

joe

votes

1 answer

Log4j 2.17 binary backward compatibility - direct replacement

Can I simply replace log4j-core-2.x (e.g. 2.8.2) with 2.17.1 without breaking backward compatibility? In other words, is Log4j project following Semantic Versioning? Log4J official changelog does not provide any clear statement on that. But this…

log4j upgrade backwards-compatibility semantic-versioning log4shell

asked Dec 21 '21 at 18:39

PaoloC

3,817
1
23
27

votes

2 answers

Is Drools Business Rules Management impacted by CVE-2021-44228

We are using Drools for our business rules. Is Drools impacted/expose to the CVE-2021-44228 (Log4Shell or Log4J/Apache/Java vulnerability

log4j drools log4shell

asked Dec 13 '21 at 13:28

Stephen

votes

5 answers

What is the easiest way in Maven pom.xml to upgrade all usages of log4j2 to 2.15.0, including dependencies using log4j2? See CVE-2021-44228

A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?

spring-boot security log4j log4j2 log4shell

asked Dec 13 '21 at 08:12

thomas.schuerger

votes

2 answers

Issue with log4j 2.17.0 update: ClassNotFoundException SetUtils

After the version bump to log4j 2.17.0 this exception was raised during the unit tests: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.util.SetUtils How to work around this problem?

java log4j log4shell

asked Dec 20 '21 at 22:00

freedev

25,946
8
108
125

votes

1 answer

Is zookeeper 3.6.0 version compatible with kafka 2.2.1 version

We are currently using kafka 2.2.1 version and zookeeper 3.5.9 version. We are trying to upgrade zookeeper to 3.6.0 because of log4j workaround (as zookeeper 3.6 as no explicit dependency with log4j1.x) Unfortunately we cannot upgrade kafka to a…

apache-kafka log4j apache-zookeeper log4shell

asked Apr 17 '23 at 14:28

priya dhana

votes

2 answers

Failed to instantiate SLF4J LoggerFactory while upgrading log4j version

I am trying to upgrade the log4j version in kafka and zookeeper docker image from 1.x.x to 2.x.x Docker commands RUN rm /zookeeper-3.5.9/lib/log4j-1.2.17.jar RUN wget…

apache-kafka log4j apache-zookeeper log4shell

asked Apr 14 '23 at 06:57

priya dhana

votes

0 answers

Tomcat9 Log4Shell attack

Cookie.logInvalidHeader A cookie header was received…

tomcat cookies log4j tomcat9 log4shell

asked Feb 11 '23 at 01:26

mona

votes

1 answer

log4shell POC : no HTTP redirect

I am trying to understand/reproduce Log4shell vulnerability, using this poc and also information from Marshalsec. To do that, I've downloaded Ghidra v10.0.4, which is said (on Ghidra download page) to be vulnerable to log4shell. Installed it on an…

java log4j log4shell

asked Jun 22 '22 at 16:53

Ablia

votes

1 answer

How to prevent a Java application from executing processes on GNU/Linux?

In other words, are modern GNU/Linux or JVM (ideally Java 11+) able to prevent a Java process from executing other processes? Issues such as Log4Shell and Spring4Shell seem possible because the JVM allows a Java application to execute other…

java security hardening log4shell

asked Apr 09 '22 at 19:57

pyb

4,813
2
27
45

votes

1 answer

How to find log4shell vulnerable classes in my assemblies (jar/ear/war)

Around the current log4shell situation i need a way to find out if i have vulnerable classes in my packaged products. What is the easiest way to find if the following classes are contained in jar files packaged in EAR or WAR…

java security log4j log4shell

asked Dec 17 '21 at 15:13

fl0w

3,593
30
34

votes

1 answer

hotfix securing many log4j jars against log4shell

I have to secure some servers against CVE-2021-44228 aka log4shell. Those machines are running Linux and have a huge amount of log4j jars all over the place, some from app servers, some from legacy software, etc. I fear it is not possible to update…

linux log4j log4shell

asked Dec 15 '21 at 08:52

Marcus

1,857
4
22
44

votes

1 answer

Would dropping LDAP callbacks prevent Log4Shell

I am trying to upgrade my log4j version to 2.15.0. This should take me a while as I have to upgrade other stuff as well. My question is does dropping ldap callbacks on both 363 and 636 ports on my server will prevent the log4shell attack?

ldap log4j firewall log4shell

asked Dec 13 '21 at 16:52

404NotFound

-3

votes

1 answer

Making unused log4j2 jar libs safe

With regard to mitigating actions for the log4j2 RCE issues. We have several instances, e.g., oracle client installations on windows 2012 r2, where it appears that while a version of a log4j2 jar is present, usually version 1.x, it is not being…

java security log4j2 log4shell

asked Dec 15 '21 at 00:09

Mr Peragin

2 Next