-
-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly nail log4j security leak #1349
Comments
Signed-off-by: Łukasz Dywicki <[email protected]>
Signed-off-by: Łukasz Dywicki <[email protected]>
FYI, Severity of CVE-2021-45046 is now Critical even with log4j 2.15 and LOG4J_FORMAT_MSG_NO_LOOKUPS |
Where does it say critical? I only see "moderate severity" and only for use cases that do not apply to us. |
F5 maybe? :-) "Severity is now Critical CVE-2021-45046 | Remote Code Execution "The original severity of this CVE was rated as Moderate; since this CVE was published security experts found additional exploits against the Log4j 2.15.0 release, that could lead to information leaks, RCE (remote code execution) and LCE (local code execution) attacks. Base CVSS Score changed from 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) to 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). The title of this CVE was changed from mentioning Denial of Service attacks to mentioning Remote Code Execution attacks." "Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1." |
Ok, thanks. F5 does not help - seems I am on a CDN that still serves the previous version... |
Current fix for log4j CVE provided via #1346 is not complete and definitive since there is still an area which allows to exploit vulnerability.
The text was updated successfully, but these errors were encountered: