Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly nail log4j security leak #1349

Closed
splatch opened this issue Dec 16, 2021 · 5 comments
Closed

Properly nail log4j security leak #1349

splatch opened this issue Dec 16, 2021 · 5 comments

Comments

@splatch
Copy link
Contributor

splatch commented Dec 16, 2021

Current fix for log4j CVE provided via #1346 is not complete and definitive since there is still an area which allows to exploit vulnerability.

splatch added a commit to splatch/openhab-distro that referenced this issue Dec 16, 2021
splatch added a commit to splatch/openhab-distro that referenced this issue Dec 16, 2021
@jcz1
Copy link

jcz1 commented Dec 17, 2021

FYI, Severity of CVE-2021-45046 is now Critical even with log4j 2.15 and LOG4J_FORMAT_MSG_NO_LOOKUPS

https://logging.apache.org/log4j/2.x/security.html

@kaikreuzer
Copy link
Member

Where does it say critical? I only see "moderate severity" and only for use cases that do not apply to us.
On https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it even says low with a base score of 3.7.

@jcz1
Copy link

jcz1 commented Dec 17, 2021

F5 maybe? :-)

"Severity is now Critical

CVE-2021-45046 | Remote Code Execution
Severity | Critical
Base CVSS Score | 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Versions Affected | All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2"

"The original severity of this CVE was rated as Moderate; since this CVE was published security experts found additional exploits against the Log4j 2.15.0 release, that could lead to information leaks, RCE (remote code execution) and LCE (local code execution) attacks.

Base CVSS Score changed from 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) to 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

The title of this CVE was changed from mentioning Denial of Service attacks to mentioning Remote Code Execution attacks."

"Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1."

@kaikreuzer
Copy link
Member

Ok, thanks. F5 does not help - seems I am on a CDN that still serves the previous version...

@splatch
Copy link
Contributor Author

splatch commented Dec 19, 2021

Solved through #1354 and #1355,

@splatch splatch closed this as completed Dec 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants