Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.
CVE-2021-44228 log4j Remote Code Execution Vulnerability
-
Until Mango is patched to use log4j 2.15 (currently 2.10 on Mango 3.7.7) you can do the following:
">Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages."
I just tested on my laptop and I'm no longer able to recreate the vuln, yet you will lose logs.
(Have not tested in production, do not know if any bugs will occur due to the mitigation)See:
https://logging.apache.org/log4j/2.x/index.htmlhttps://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
-
Thanks for the note! It's been a top priority today, and we are happy to have a resolution for everyone as of an hour ago. This vulnerability is going to be a pretty big deal for lots of software out in the wild, and we are super pleased we were able to get a fix out, and roll both 3.7 and 4.2 updates pretty much in hours for everyone.
Please see the info here: https://forum.mango-os.com/topic/5404/apache-cve-2021-44228-log4j-remote-code-execution-vulnerability-resolution
Have a wonderful weekend!
MIke.
