To mitigate, audit your logging configuration to ensure it has no JMSAppender configured. Patch to Log4j version 2.16 wherever possible, as it fully remediates known vulnerabilities.Ĭurrent intelligence indicates that applications using Log4j version 1.x are only vulnerable to CVE-2021-44228 when JNDI is used in their configuration. The following new information for updating the Apache Log4j utility was sent to U-M IT groups via email on December 16, 2021.
The fix in Apache Log4j was incomplete, and certain non-default configurations can allow remote code execution to attackers with control over Thread Context Map (MDC) input data. If you recently updated to version 2.15, you now need to update to version 2.16 as soon as possible. Refer to Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS for more information.Ī new remote code execution (RCE) vulnerability has been discovered in Log4j 2.15. If you have already upgraded to v2.16, you can follow standard patching guidelines in upgrading to 2.17. If you have not yet updated from v2.15 or earlier to 2.16, we recommend going directly to v2.17.
This is considered a High (7.5) vulnerability on the CVSS scale.
Log4j 2.16 and earlier does not always protect from infinite recursion in lookup evaluation, which can lead to DoS attacks. Log4j 2.17 has been released to address a Denial of Service (DoS) vulnerability found in v2.16 and earlier. All University of Michigan Tableau dashboards have been updated and are now available to users without the need to be on the university’s network or using the university virtual private network.
0 kommentar(er)
