Skip to content

Polaris: Automated PR: Update org.apache.logging.log4j:log4j-core:2.14.1 to 2.25.4#148

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
BD-PR-Polaris-log4j-core_2.14.1_org.apache.logging.log4j-1776896825
Open

Polaris: Automated PR: Update org.apache.logging.log4j:log4j-core:2.14.1 to 2.25.4#148
github-actions[bot] wants to merge 1 commit into
mainfrom
BD-PR-Polaris-log4j-core_2.14.1_org.apache.logging.log4j-1776896825

Conversation

@github-actions

Copy link
Copy Markdown

critical: Update org.apache.logging.log4j:log4j-core:2.14.1 to 2.25.4

CVE-2021-44228 (critical): Apache Log4j, as used in many popular services, is vulnerable to improperly allowing lightweight directory access protocol (LDAP) access via Java naming and directory interface (JNDI). A remote attacker able to supply the end application with specially crafted input that is then processed by the Log4j subcomponent could cause the execution of arbitrary Java code.

Note

  • log4j-api packages by themselves do not contain the vulnerable functionality and are therefore unaffected. log4j-core packages and the upstream overarching source repository are affected.

  • A previously suggested mitigation of setting environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true is not recommended. This mitigation has been proven inadequate against this vulnerability.

  • This vulnerability is partially fixed in 2.15.0-rc2 by this commit and this commit. These fixes were deemed incomplete. See BDSA-2021-3779 (CVE-2021-45046) for more details.

This vulnerability is listed as exploitable by the Cybersecurity & Infrastructure Security Agency in their Known Exploited Vulnerabilities Catalog.

critical: Update org.apache.logging.log4j:log4j-core:2.14.1 to 2.25.4

CVE-2021-45046 (critical): It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Click Here To See More Details On Server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants